Professional developers want to do the right thing, but in terms of security, they are rarely set up for success. Organizations must support their upskilling with precision training and incentives if they want secure software from the ground up.
The cyber threat landscape grows more complex by the day, with our data widely considered highly desirable "digital gold". Attackers are constantly scanning networks for vulnerable applications, programs, cloud instances, and the latest flavor of the month is APIs, with Gartner correctly predicting that they would become the most common attack vector in 2022, and that is in no small part thanks to their often lax security controls.
Threat actors are so persistent that new apps can sometimes be compromised and exploited within hours of deployment. The Verizon 2022 Data Breach Investigations Report reveals that errors and misconfigurations were the cause of 13% of breaches, with the human element responsible overall for 82% of the 23,000 analyzed incidents.
It's becoming very clear that the only way to truly fortify the software being created is to ensure that it's built on secure code. In other words, the best way to stop the threat actor invasion is to deny them a foothold into your software in the first place. Cybercriminals are at a distinct advantage against organizations scrambling to defend their often vast attack surface, and any windows of opportunity that can be shut for good significantly reduce risk.
We make it hard for security stars to shine
The current status quo for developers at many organizations is such that their primary role is to build awesome features and deploy software at speed. The faster that developers can code and deploy, the more valuable they tend to be seen in terms of their performance reviews.
Security can be an afterthought, if considered at all, and is conspicuously absent as a measure of developer success. The 2022 State of Developer-Driven Security Survey in conjunction with Evans Data supports this outlook, with 86% of surveyed developers revealing that they do not view application security as a top priority. Instead, much of that is left to the application security (AppSec) teams to figure out. AppSec teams tend to be a source of frustration to most developers, because they would often send completed applications back into development to apply security patches, or to rewrite code to remediate vulnerabilities. And every hour that a developer spent working on an app that was already "finished" was an hour they were not creating new apps and features, thus decreasing their performance (and their value, in the eyes of a particularly punitive company).
However, the modern threat environment has forced everyone, from companies to government departments, to rethink the importance and prioritization of security, and they would be well-placed to consider how the development cohort fits into a defensive approach. According to the recent 2022 Cost of a Data Breach Report from IBM and the Ponemon Institute, the average cybersecurity breach now costs about $4.24 million per incident, although that is hardly the upper limit. The companies of today want the security offered by DevSecOps, but, sadly, have been slow to reward developers who answer that call.
Simply telling the development teams to consider security won't work, especially if they are still being incentivized based on speed alone. In fact, within such a system, developers who take the time to learn about security and secure their code could actually be losing out on better performance reviews and lucrative bonuses that their less-security-aware colleagues continue to earn. It's almost like companies are unwittingly rigging the system for their own security shortcomings, and it comes back to their perception of the development team. If they're not seeing them as the security frontlines, then it's very unlikely a viable plan to utilize their workforce will come to fruition.
And this doesn't even account for the lack of training. Some very skilled developers have decades of experience coding, but very little when it comes to security… after all, it was never required of them, nor a measure of success or quality work. Unless a company provides a good training program, it can hardly expect its developers to suddenly gain new skills and put them into action in a meaningful way that actively reduces vulnerabilities.
(Want to compete against other elite developers from around the world, or nominate your own dev team of security superstars? Join Secure Code Warrior's 2022 Devlympics, our biggest and best global secure coding tournament, and you could win big!)
Rewarding developers for good security practices
The good news is that the overwhelming majority of developers do their job because they find it both challenging and rewarding, and because they enjoy the respect that their position entails. Lifelong software engineer Michael Shpilt recently wrote about all of the things that motivate him and his colleagues in their development work. Yes, he lists monetary compensation among those incentives, but it's surprisingly far down the list. Instead, he prioritizes the thrill of creating something new, skills development, and the satisfaction of knowing that his work is going to be directly used to help others. He also talks about wanting to feel valued within his company and community. In short, developers are no different to a lot of good people who take pride in their work.
Developers like Shpilt don't want threat actors compromising their code and using it to harm their company, or the very users they are trying to help. But, they can't suddenly shift their priorities to security without support.
To help development teams improve their cybersecurity prowess, they must first be taught the necessary skills. Utilizing a tiered approach to learning - as well as tools that are purpose-built to integrate seamlessly into their actual workflow - can make this process much less painful while helping to build upon existing knowledge in the right context.
With a commitment to upskilling in place, the old methods of evaluating developers based solely on speed need to be eliminated. Instead, developers should be rewarded based on their ability to create good, secure coding patterns, with the best candidates becoming security champions that help the rest of the team improve their skills. And those champions need to be rewarded with both company prestige and monetary compensation. It's also important to remember that developers don't typically have a positive experience with security, and uplifting them with positive, fun learning and incentives that speak to their interests will go a long way to ensuring both knowledge retention and a desire to keep building skills.
(Want to compete against other elite developers from around the world, or nominate your own dev team of security superstars? Join Secure Code Warrior's 2022 Devlympics, and you could take out a major cash prize in our global tournaments!)