Only 20% of new developers receive secure coding training, says report
According to a recent report, only 20% of newly hired developers have received secure coding training. This is an issue that is more significant than it may seem as application use is growing by the day, and it is only eclipsed by the increasing need for secure code in applications.
There are risks to having a team of developers who lack security best practices, and a number of key oversights might be made based upon their lack of secure code training. Ongoing, targeted skill development can help efficiently reduce those risks.
ESG recently released the “Modern Application Development Security report. It highlighted some troubling gaps in security training for developers. This survey said only 20% of the organizations surveyed offer training in secure coding to new developers they hire. Additionally, 35% of organizations surveyed said less than half of the developers in their employ even take part in formal training. Even worse, less than 50% of surveyed organizations require their developers to take part in formal training more than once a year. These findings leave developers and the application they work on with potentially serious secure coding gaps.
When developers lack security best practices
What happens when developers do not have or are not trained in security best practices? The organization will be the victim. When developers do not know security best practices, they are more likely to suffer the security pitfalls that security best practices are intended to help you avoid. For instance, when developers do not enforce the least privilege, the application can be in jeopardy as unnecessary access rights can result in a nightmare scenario. Security best practices are the result of years of information security experience, and there is no good excuse to not pay heed to the solid security guidance that security best practices offer up to those with the proverbial “eyes that see and ears that hear.”
When developers lack security best practices it will hit the organization in its pocketbook. According to Microsoft’s director of Trustworthy Computing, Tim Rains, using secure coding leads to some real cost savings for the organization. When developers do not have security best practices, the organization will lose out on this cost savings when their developers suffer pitfalls along the way of the application development lifecycle.
Key oversights due to not having secure coding training
The examples of what can happen to an organization when its development team does not have secure training were just a taste of how big this problem can become. When developers do not have secure coding training, it sets up a bad pattern when application development gets rolling. The longer it takes to find a vulnerability introduced by developers, the more costly it is to identify and fix vulnerabilities.
Below are the key oversights that developers who lack secure coding training are likely to make as they create a web application:
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfigurations
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
If you have been paying attention, these are the Open Web Application Security Project’s (OWASP) top 10 vulnerabilities. The OWASP online community is dedicated to web application security. It is a solid starting point for secure coding training because it presents the top vulnerabilities which should be on every developer’s mind when coding.
Targeted skill development to efficiently reduce risks
While it is a bit scary how destructive it can be for application development that doesn’t heed the call of secure coding, the risk can be efficiently reduced with targeted skill development. Targeted skill development can be accomplished by offering secure coding training for developers, which would be most effective if developers begin receiving this training as soon as they are hired. The best thing about this is the fact that you do not have to create a program for targeted skill development. There are already many resources available for this training. Below is a look at some resources available for secure coding training:
- OWASP Top 10: if there was a general standard for targeted skill development for secure coding, the OWASP Top 10 is most likely that standard. It is the most fundamental of training resources for secure coding and contains the usual suspects that developers need to know.
- Common Weakness Enumeration (CWE): offered by MITRE, CWE includes over 700 known weaknesses that can be viewed by development, research and architectural concepts. It also trains participants in the common vulnerabilities and exposures list (CVE).
- “24 Deadly Sins of Software Security”: this resource is a book that focuses on typical security flaws you will encounter while developing. It includes some of the OWASP Top 10 as well as some flaws that did not make it on the list.
- OWASP – Security by Design Principles: created by OWASP, this resource offers guidance for secure application development at the design stage.
Reduce risk with secure coding training
One of the biggest problems with application development today is that only around one in five developers has received secure coding training. This can cost organizations that neglect secure coding training when they have to backtrack and fix weaknesses that could have been prevented from the beginning with proper training. The good thing is that targeted skills development regarding secure coding for developers can patch this skills gap and help prevent the damage that a lack of secure coding training can cause.
- How 80% of Orgs Can Overcome a Lack of Training for Developers, Veracode.
- Study: Majority of U.S. Developers us no Secure Coding Processes, Visual Studio Magazine.