Want More Secure Software? Start Recognizing Security-Skilled Developers


Professional
developers
want
to
do
the
right
thing,
but
in
terms
of
security,
they
are
rarely
set
up
for
success.
Organizations
must
support
their
upskilling
with
precision
training
and
incentives
if
they
want
secure
software
from
the
ground
up.

The
cyber
threat
landscape
grows
more
complex
by
the
day,
with
our
data
widely
considered
highly
desirable “digital
gold”.
Attackers
are
constantly
scanning
networks
for
vulnerable
applications,
programs,
cloud
instances,
and
the
latest
flavor
of
the
month
is
APIs,
with
Gartner

correctly
predicting

that
they
would
become
the
most
common
attack
vector
in
2022,
and
that
is
in
no
small
part
thanks
to
their
often
lax
security
controls.

Threat
actors
are
so
persistent
that
new
apps
can
sometimes
be
compromised
and
exploited
within
hours
of
deployment.
The

Verizon
2022
Data
Breach
Investigations
Report

reveals
that
errors
and
misconfigurations
were
the
cause
of
13%
of
breaches,
with
the
human
element
responsible
overall
for
82%
of
the
23,000
analyzed
incidents.

It’s
becoming
very
clear
that
the
only
way
to
truly
fortify
the
software
being
created
is
to
ensure
that
it’s
built
on
secure
code.
In
other
words,
the
best
way
to
stop
the
threat
actor
invasion
is
to
deny
them
a
foothold
into
your
software
in
the
first
place.
Cybercriminals
are
at
a
distinct
advantage
against
organizations
scrambling
to
defend
their
often
vast
attack
surface,
and
any
windows
of
opportunity
that
can
be
shut
for
good
significantly
reduce
risk.


We
make
it
hard
for
security
stars
to
shine

The
current
status
quo
for
developers
at
many
organizations
is
such
that
their
primary
role
is
to
build
awesome
features
and
deploy
software
at
speed.
The
faster
that
developers
can
code
and
deploy,
the
more
valuable
they
tend
to
be
seen
in
terms
of
their
performance
reviews.

Security
can
be
an
afterthought,
if
considered
at
all,
and
is
conspicuously
absent
as
a
measure
of
developer
success.
The

2022
State
of
Developer-Driven
Security
Survey

in
conjunction
with
Evans
Data
supports
this
outlook,
with
86%
of
surveyed
developers
revealing
that
they
do
not
view
application
security
as
a
top
priority.
Instead,
much
of
that
is
left
to
the
application
security
(AppSec)
teams
to
figure
out.
AppSec
teams
tend
to
be
a
source
of
frustration
to
most
developers,
because
they
would
often
send
completed
applications
back
into
development
to
apply
security
patches,
or
to
rewrite
code
to
remediate
vulnerabilities.
And
every
hour
that
a
developer
spent
working
on
an
app
that
was
already “finished”
was
an
hour
they
were
not
creating
new
apps
and
features,
thus
decreasing
their
performance
(and
their
value,
in
the
eyes
of
a
particularly
punitive
company).

However,
the
modern
threat
environment
has
forced
everyone,
from
companies
to
government
departments,
to
rethink
the
importance
and
prioritization
of
security,
and
they
would
be
well-placed
to
consider
how
the
development
cohort
fits
into
a
defensive
approach.
According
to
the
recent

2022
Cost
of
a
Data
Breach
Report

from
IBM
and
the
Ponemon
Institute,
the
average
cybersecurity
breach
now
costs
about
$4.24
million
per
incident,
although
that
is
hardly
the
upper
limit.
The
companies
of
today
want
the
security
offered
by
DevSecOps,
but,
sadly,
have
been
slow
to
reward
developers
who
answer
that
call.

Simply
telling
the
development
teams
to
consider
security
won’t
work,
especially
if
they
are
still
being
incentivized
based
on
speed
alone.
In
fact,
within
such
a
system,
developers
who
take
the
time
to
learn
about
security
and
secure
their
code
could
actually
be
losing
out
on
better
performance
reviews
and
lucrative
bonuses
that
their
less-security-aware
colleagues
continue
to
earn.
It’s
almost
like
companies
are
unwittingly
rigging
the
system
for
their
own
security
shortcomings,
and
it
comes
back
to
their
perception
of
the
development
team.
If
they’re
not
seeing
them
as
the
security
frontlines,
then
it’s
very
unlikely
a
viable
plan
to
utilize
their
workforce
will
come
to
fruition.

And
this
doesn’t
even
account
for
the
lack
of
training.
Some
very
skilled
developers
have
decades
of
experience
coding,
but
very
little
when
it
comes
to
security…
after
all,
it
was
never
required
of
them,
nor
a
measure
of
success
or
quality
work.
Unless
a
company
provides
a
good
training
program,
it
can
hardly
expect
its
developers
to
suddenly
gain
new
skills
and
put
them
into
action
in
a
meaningful
way
that
actively
reduces
vulnerabilities.

(Want
to
compete
against
other
elite
developers
from
around
the
world,
or
nominate
your
own
dev
team
of
security
superstars?
Join




Secure
Code
Warrior
‘s



2022
Devlympics
,
our
biggest
and
best
global
secure
coding
tournament,
and
you
could
win
big!)


Rewarding
developers
for
good
security
practices

The
good
news
is
that
the
overwhelming
majority
of
developers
do
their
job
because
they
find
it
both
challenging
and
rewarding,
and
because
they
enjoy
the
respect
that
their
position
entails.
Lifelong
software
engineer
Michael
Shpilt

recently
wrote
about

all
of
the
things
that
motivate
him
and
his
colleagues
in
their
development
work.
Yes,
he
lists
monetary
compensation
among
those
incentives,
but
it’s
surprisingly
far
down
the
list.
Instead,
he
prioritizes
the
thrill
of
creating
something
new,
skills
development,
and
the
satisfaction
of
knowing
that
his
work
is
going
to
be
directly
used
to
help
others.
He
also
talks
about
wanting
to
feel
valued
within
his
company
and
community.
In
short,
developers
are
no
different
to
a
lot
of
good
people
who
take
pride
in
their
work.

Developers
like
Shpilt
don’t
want
threat
actors
compromising
their
code
and
using
it
to
harm
their
company,
or
the
very
users
they
are
trying
to
help.
But,
they
can’t
suddenly
shift
their
priorities
to
security
without
support.

To
help
development
teams
improve
their
cybersecurity
prowess,
they
must
first
be
taught
the
necessary
skills.
Utilizing
a
tiered
approach
to
learning

as
well
as
tools
that
are
purpose-built
to
integrate
seamlessly
into
their
actual
workflow

can
make
this
process
much
less
painful
while
helping
to
build
upon
existing
knowledge
in
the
right
context.

With
a
commitment
to
upskilling
in
place,
the
old
methods
of
evaluating
developers
based
solely
on
speed
need
to
be
eliminated.
Instead,
developers
should
be
rewarded
based
on
their
ability
to
create
good,
secure
coding
patterns,
with
the
best
candidates
becoming

security
champions

that
help
the
rest
of
the
team
improve
their
skills.
And
those
champions
need
to
be
rewarded
with
both
company
prestige
and
monetary
compensation.
It’s
also
important
to
remember
that
developers
don’t
typically
have
a
positive
experience
with
security,
and
uplifting
them
with
positive,
fun
learning
and
incentives
that
speak
to
their
interests
will
go
a
long
way
to
ensuring
both
knowledge
retention
and
a
desire
to
keep
building
skills.

(Want
to
compete
against
other
elite
developers
from
around
the
world,
or
nominate
your
own
dev
team
of
security
superstars?
Join




Secure
Code
Warrior
‘s



2022
Devlympics
,
and
you
could
take
out
a
major
cash
prize
in
our
global
tournaments!)

Leave a Reply

Your email address will not be published. Required fields are marked *