DevSecOps in DACH: Key findings from secure coding pilot programs
Cybersecurity best practice has been a hot-button issue for more than a decade, discussed frequently at a government level in most regions all over the world. Cyberattacks are essentially a daily reality, and any entity storing valuable private data online is a potential target. In Germany alone, the Federal Ministry of Education and Research estimates that 96 percent of all small and medium-sized enterprises have already experienced an IT security incident. The same report highlights the urgent need for cybersecurity research, legislation and awareness, with a definitive callout for the inclusion of more robust security training in computer science and IT-related fields.
With the advent of GDPR, as well as a revised strategy following a multi-stage attack that exposed the sensitive data of many public figures - as well as servers in the German federal government - it is clear that cybersecurity awareness and action are front-of-mind for leaders in the DACH region. The late-2018 hack was executed by a 20-year-old student of relatively low skill, with his main access point to highly sensitive information made possible through simply guessing passwords. While this was an extremely concerning authentication exploit, it did highlight the need for far better security awareness at government, business, and societal levels. A 2019 report highlighted that Germany was falling behind in terms of cybersecurity defense initiatives, relying on legislation as the main tactic. However, with the arrival of DevSecOps as an ideal development methodology, many businesses have recognized the need for practical training, secure-by-design software creation, and company-wide security awareness programs.
The software security heartbeat in DACH
Organizations like OWASP and MITRE publish data-verified rankings of the most frequently occurring vulnerabilities. Across all languages, SQL injection ranks at number one, and despite it being decades old it is a common flaw and often exploited with disastrous consequences.
Swiss BPC banking software, SmartVista, was alerted to a SQLi vulnerability by SwissCERT, however, it remained unpatched for months despite its potential to expose sensitive customer data, including credit card numbers. SQL injection can and does lead to dangerous breaches, just like the 2017 breach of multiple government departments and universities in the US and UK. Many of these incidents are caused by lax input validation processes, allowing an attacker to insert malicious code from the front-end of an application. Another common vulnerability source is using insecure vendor code that goes unchecked for security bugs, and flaws are thus introduced into a previously scanned and cleared production environment. Neither of these access points is specific to the DACH region, rather, they are global examples of poor security practices that cannot continue as the world produces more code.
It is imperative to patch issues as soon as they are discovered, and SmartVista's decision to drag their feet could have been a disaster. While DACH has had its share of breaches, more focused guidelines and support in security awareness and training could prevent potential issues at the organizational level getting out of hand, and this will require legislation that is far more specific in driving assessed training for developers.
Not all secure code training is created equal.
Many cybersecurity directives around the world are becoming more comprehensive, however, they remain rather nonspecific when it comes to outlining effective security training. The NIS directive in the EU does include the requirement for "awareness-raising, training and education" at a national level, but rushing into a training solution may not have the desired outcome of tangible risk reduction if it is missing key elements that drive upskilling developers and organizational change.
Education solutions vary, and training must be specific to the developer's day job (including the ability to learn in their preferred language and framework) as well as remain engaging and measurable over time.
Static training solutions, such a computer-based video training is often too generic, and rarely revisited or assessed on its success in driving the awareness and skill to stop vulnerabilities entering code as it is being written. Dynamic training, however, is vital in upskilling developers with contextual examples, in addition to providing metrics that influence business mitigation processes. It is updated frequently, promotes a high level of knowledge retention and is part of building security-aware developers that contribute to a positive security culture in their workplace.
Secure Code Warrior data points from DACH pilots:
Secure Code Warrior's Ema Rimeike, Sales Director (MSc in Cyber Security) has been working closely with organizations in the DACH region, running pilot programs for developers to gauge in-house secure coding competency among developers, their engagement with security best practice, as well as the overall security culture of the business. Utilizing gamified, dynamic secure code training, her key findings reveal a bright future when developers are given the knowledge and tools that foster successful vulnerability reduction from the start of the SDLC.
During her pilot programs, she collated statistics based on an average of 90 minutes spent per user on the Secure Code Warrior (SCW) platform, in which they played 15 secure coding challenges (bite-sized, gamified and self-paced lessons):
Users spent an average time of 5.5 minutes to complete one challenge, versus 3 minutes on average for other global SCW pilots.
- Accuracy vs.Confidence: The DACH pilots registered an average percentage of between 88-92% for confidence in their answers to challenges, yet the accuracy of these answers sat between 53-66%
- Over 75% of surveyed participants prefer gamified - or dynamic - training methods, in contrast to static approaches like computer-based training (CBT).
- Amongst the most frequently seen vulnerabilities, we saw Injection Flaws, Security Misconfiguration, Cross-Site Scripting (XSS), Improper Platform Usage, Access Control, Authentication, Memory Corruption, Cross Site Request Forgery, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards
It is no secret that, in general, a strong work ethic and focus on precision is valued by many in the DACH region, and the developers trying the pilot program are no exception. These data points speak to their unfamiliarity with this type of training, but also a desire to keep playing, improve their score and avoid using the "hint" feature available. Their desire to learn and improve is evident, but it also shows that more work must be done to implement effective training and awareness within the organization itself.
Great training that reduces risk and thwarts vulnerabilities is not a one-off exercise, and it's more than compliance. An effort must be made by managers and AppSec personnel to roll out a security awareness program with strategy and support that reflects core security goals and seeks to maintain them long-term. This is, in effect, the backbone of a successful DevSecOps process with security-aware developers.
What does a pilot program reveal to an organization?
Secure Code Warrior's pilot programs are an incredibly valuable tool in giving businesses a snapshot of their current security health, (usually between 65-75 %), as well as areas for immediate improvement. They reveal:
- Clarity on which vulnerabilities must be addressed as a priority, as well as whether this direction should be applied to a particular team, business unit, or programming language
- An accurate, wider scope of intelligence on the cybersecurity risk factors within their SDLC, encompassing the human factor of software development.
- By leveraging the SCW platform, organizations could predict the potential outcome of pen-testing, and have the opportunity to mitigate those risks up-front, preparing teams before they are even assigned to a specific project.
In organizations that have begun rolling out comprehensive and effective security programs, typically 1-1.5 hours per week of professional development is approved at the management level, to help their developers upskill their secure coding knowledge. However, we are noticing that organisations are moving away from the "time spent on platform'focus to "which software development teams are posing the highest and the lowest risk to the business'. This is tightly linked to formalized certification/belting, the discovery of security champions and mentoring programs for best results. The allocation of time, plus constructive and positive assessment is absolutely key to creating security-aware developers that not only like security, but measurably reduce risk to the business.
How do organizations already use Secure Code Warrior?
Several businesses are already using Secure Code Warrior to create awareness, build developers'skills and scale a positive security culture.
For instance, in one use case, a team training on the platform used SCW to reveal their security strengths and weaknesses:
Developer action: Developers were able to see their own results, showing the areas they should be focusing on and empowered to self-direct, and pace the training to mitigate specific vulnerabilities or knowledge gaps that will assist them in future software builds.
Management action: They analyzed overall strengths and weaknesses at the team level, and were able to prescribe a gamified approach that addresses the specific areas of concern. This created a two-way educational pathway that builds relevant knowledge quickly.
Outcome: Once pentesting at the team level is performed, any vulnerabilities are visible, and comparing previous results made it easy to validate whether training had been effective in reducing common security bugs.
This leads back to the initial stages of software development, wherein pre-training team goals of continuous improvement and introducing security best practices at the start can be effective, easy to roll out, and save time across the entire development scope.
DevSecOps Project Teams
In an ideal DevSecOps environment, multiple business units are represented in a project team to decide upon and deliver core outcomes, one of which is security best practices.
In terms of pre-project research and planning, the SCW platform can evaluate the security skills of the proposed development team before it commences work, predicting eventual pentesting results, and security-related delays in the SDLC with more than enough time to adequately prepare for them. Training specific to the project code and structure can be created for the team to work through, including an assessment/certification process that verifies overall security awareness skills, requiring a preset pass mark before they are set free on the project deliverables.
This offers an approach of immense business value in reducing the cost of fixing vulnerabilities, mitigating security risks, saving time in pentesting, reducing the cost of expensive bounty programs and upskilling the development cohort in a centralised, sustainable, scalable and unified way.
Conclusion:
There is increased pressure on businesses to prioritize security, keep our data safe and comply with increasingly tight regulations globally, but especially for organizations trading in the EU under strict GDPR guidelines.
For companies in the DACH region, it is clear that they are making viable security pathways by connecting training effort and outcomes to real-world activities related to the prevention of risks; including the reduction of common vulnerabilities in the code they produce.
To build a truly quantifiable business case for increased security budgets, awareness and overall compliance, training must be engaging for developers, consistent, adaptable and measurable. Tracking current stages of ability to tailor the right training, uncovering security champions and measuring team performance over time are all vital initiatives, and many forward-thinking companies across DACH are realizing the benefits following a comprehensive SCW pilot.
Many companies struggle with security performance metrics that are too generic. With longer-term, consistent use of the SCW platform, businesses could utilize precision assessments, courses, and management metrics to discover:
- Reduction in vulnerabilities over time
- Reduction in cost to fix vulnerabilities over time
- Individual and team skill development over time
- Cost and time reduction at the pentesting stage
What metrics does your organization currently track, how often are they remeasured, and have they shown marked improvement over time? How integrated are your training initiatives in terms of existing developer workflow?
SCW's dynamic, gamified and comprehensive approach is seen as a crucial part of the Secure Software Development Life Cycle workflow. Businesses are equipping their developers with the right tools and training, as well as embedding SCW as part of their SSDLC workflow.
With the advent of GDPR, as well as a revised strategy following a multi-stage attack that exposed the sensitive data of many public figures - as well as servers in the German federal government - it is clear that cybersecurity awareness and action are front-of-mind for leaders in the DACH region.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Cybersecurity best practice has been a hot-button issue for more than a decade, discussed frequently at a government level in most regions all over the world. Cyberattacks are essentially a daily reality, and any entity storing valuable private data online is a potential target. In Germany alone, the Federal Ministry of Education and Research estimates that 96 percent of all small and medium-sized enterprises have already experienced an IT security incident. The same report highlights the urgent need for cybersecurity research, legislation and awareness, with a definitive callout for the inclusion of more robust security training in computer science and IT-related fields.
With the advent of GDPR, as well as a revised strategy following a multi-stage attack that exposed the sensitive data of many public figures - as well as servers in the German federal government - it is clear that cybersecurity awareness and action are front-of-mind for leaders in the DACH region. The late-2018 hack was executed by a 20-year-old student of relatively low skill, with his main access point to highly sensitive information made possible through simply guessing passwords. While this was an extremely concerning authentication exploit, it did highlight the need for far better security awareness at government, business, and societal levels. A 2019 report highlighted that Germany was falling behind in terms of cybersecurity defense initiatives, relying on legislation as the main tactic. However, with the arrival of DevSecOps as an ideal development methodology, many businesses have recognized the need for practical training, secure-by-design software creation, and company-wide security awareness programs.
The software security heartbeat in DACH
Organizations like OWASP and MITRE publish data-verified rankings of the most frequently occurring vulnerabilities. Across all languages, SQL injection ranks at number one, and despite it being decades old it is a common flaw and often exploited with disastrous consequences.
Swiss BPC banking software, SmartVista, was alerted to a SQLi vulnerability by SwissCERT, however, it remained unpatched for months despite its potential to expose sensitive customer data, including credit card numbers. SQL injection can and does lead to dangerous breaches, just like the 2017 breach of multiple government departments and universities in the US and UK. Many of these incidents are caused by lax input validation processes, allowing an attacker to insert malicious code from the front-end of an application. Another common vulnerability source is using insecure vendor code that goes unchecked for security bugs, and flaws are thus introduced into a previously scanned and cleared production environment. Neither of these access points is specific to the DACH region, rather, they are global examples of poor security practices that cannot continue as the world produces more code.
It is imperative to patch issues as soon as they are discovered, and SmartVista's decision to drag their feet could have been a disaster. While DACH has had its share of breaches, more focused guidelines and support in security awareness and training could prevent potential issues at the organizational level getting out of hand, and this will require legislation that is far more specific in driving assessed training for developers.
Not all secure code training is created equal.
Many cybersecurity directives around the world are becoming more comprehensive, however, they remain rather nonspecific when it comes to outlining effective security training. The NIS directive in the EU does include the requirement for "awareness-raising, training and education" at a national level, but rushing into a training solution may not have the desired outcome of tangible risk reduction if it is missing key elements that drive upskilling developers and organizational change.
Education solutions vary, and training must be specific to the developer's day job (including the ability to learn in their preferred language and framework) as well as remain engaging and measurable over time.
Static training solutions, such a computer-based video training is often too generic, and rarely revisited or assessed on its success in driving the awareness and skill to stop vulnerabilities entering code as it is being written. Dynamic training, however, is vital in upskilling developers with contextual examples, in addition to providing metrics that influence business mitigation processes. It is updated frequently, promotes a high level of knowledge retention and is part of building security-aware developers that contribute to a positive security culture in their workplace.
Secure Code Warrior data points from DACH pilots:
Secure Code Warrior's Ema Rimeike, Sales Director (MSc in Cyber Security) has been working closely with organizations in the DACH region, running pilot programs for developers to gauge in-house secure coding competency among developers, their engagement with security best practice, as well as the overall security culture of the business. Utilizing gamified, dynamic secure code training, her key findings reveal a bright future when developers are given the knowledge and tools that foster successful vulnerability reduction from the start of the SDLC.
During her pilot programs, she collated statistics based on an average of 90 minutes spent per user on the Secure Code Warrior (SCW) platform, in which they played 15 secure coding challenges (bite-sized, gamified and self-paced lessons):
Users spent an average time of 5.5 minutes to complete one challenge, versus 3 minutes on average for other global SCW pilots.
- Accuracy vs.Confidence: The DACH pilots registered an average percentage of between 88-92% for confidence in their answers to challenges, yet the accuracy of these answers sat between 53-66%
- Over 75% of surveyed participants prefer gamified - or dynamic - training methods, in contrast to static approaches like computer-based training (CBT).
- Amongst the most frequently seen vulnerabilities, we saw Injection Flaws, Security Misconfiguration, Cross-Site Scripting (XSS), Improper Platform Usage, Access Control, Authentication, Memory Corruption, Cross Site Request Forgery, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards
It is no secret that, in general, a strong work ethic and focus on precision is valued by many in the DACH region, and the developers trying the pilot program are no exception. These data points speak to their unfamiliarity with this type of training, but also a desire to keep playing, improve their score and avoid using the "hint" feature available. Their desire to learn and improve is evident, but it also shows that more work must be done to implement effective training and awareness within the organization itself.
Great training that reduces risk and thwarts vulnerabilities is not a one-off exercise, and it's more than compliance. An effort must be made by managers and AppSec personnel to roll out a security awareness program with strategy and support that reflects core security goals and seeks to maintain them long-term. This is, in effect, the backbone of a successful DevSecOps process with security-aware developers.
What does a pilot program reveal to an organization?
Secure Code Warrior's pilot programs are an incredibly valuable tool in giving businesses a snapshot of their current security health, (usually between 65-75 %), as well as areas for immediate improvement. They reveal:
- Clarity on which vulnerabilities must be addressed as a priority, as well as whether this direction should be applied to a particular team, business unit, or programming language
- An accurate, wider scope of intelligence on the cybersecurity risk factors within their SDLC, encompassing the human factor of software development.
- By leveraging the SCW platform, organizations could predict the potential outcome of pen-testing, and have the opportunity to mitigate those risks up-front, preparing teams before they are even assigned to a specific project.
In organizations that have begun rolling out comprehensive and effective security programs, typically 1-1.5 hours per week of professional development is approved at the management level, to help their developers upskill their secure coding knowledge. However, we are noticing that organisations are moving away from the "time spent on platform'focus to "which software development teams are posing the highest and the lowest risk to the business'. This is tightly linked to formalized certification/belting, the discovery of security champions and mentoring programs for best results. The allocation of time, plus constructive and positive assessment is absolutely key to creating security-aware developers that not only like security, but measurably reduce risk to the business.
How do organizations already use Secure Code Warrior?
Several businesses are already using Secure Code Warrior to create awareness, build developers'skills and scale a positive security culture.
For instance, in one use case, a team training on the platform used SCW to reveal their security strengths and weaknesses:
Developer action: Developers were able to see their own results, showing the areas they should be focusing on and empowered to self-direct, and pace the training to mitigate specific vulnerabilities or knowledge gaps that will assist them in future software builds.
Management action: They analyzed overall strengths and weaknesses at the team level, and were able to prescribe a gamified approach that addresses the specific areas of concern. This created a two-way educational pathway that builds relevant knowledge quickly.
Outcome: Once pentesting at the team level is performed, any vulnerabilities are visible, and comparing previous results made it easy to validate whether training had been effective in reducing common security bugs.
This leads back to the initial stages of software development, wherein pre-training team goals of continuous improvement and introducing security best practices at the start can be effective, easy to roll out, and save time across the entire development scope.
DevSecOps Project Teams
In an ideal DevSecOps environment, multiple business units are represented in a project team to decide upon and deliver core outcomes, one of which is security best practices.
In terms of pre-project research and planning, the SCW platform can evaluate the security skills of the proposed development team before it commences work, predicting eventual pentesting results, and security-related delays in the SDLC with more than enough time to adequately prepare for them. Training specific to the project code and structure can be created for the team to work through, including an assessment/certification process that verifies overall security awareness skills, requiring a preset pass mark before they are set free on the project deliverables.
This offers an approach of immense business value in reducing the cost of fixing vulnerabilities, mitigating security risks, saving time in pentesting, reducing the cost of expensive bounty programs and upskilling the development cohort in a centralised, sustainable, scalable and unified way.
Conclusion:
There is increased pressure on businesses to prioritize security, keep our data safe and comply with increasingly tight regulations globally, but especially for organizations trading in the EU under strict GDPR guidelines.
For companies in the DACH region, it is clear that they are making viable security pathways by connecting training effort and outcomes to real-world activities related to the prevention of risks; including the reduction of common vulnerabilities in the code they produce.
To build a truly quantifiable business case for increased security budgets, awareness and overall compliance, training must be engaging for developers, consistent, adaptable and measurable. Tracking current stages of ability to tailor the right training, uncovering security champions and measuring team performance over time are all vital initiatives, and many forward-thinking companies across DACH are realizing the benefits following a comprehensive SCW pilot.
Many companies struggle with security performance metrics that are too generic. With longer-term, consistent use of the SCW platform, businesses could utilize precision assessments, courses, and management metrics to discover:
- Reduction in vulnerabilities over time
- Reduction in cost to fix vulnerabilities over time
- Individual and team skill development over time
- Cost and time reduction at the pentesting stage
What metrics does your organization currently track, how often are they remeasured, and have they shown marked improvement over time? How integrated are your training initiatives in terms of existing developer workflow?
SCW's dynamic, gamified and comprehensive approach is seen as a crucial part of the Secure Software Development Life Cycle workflow. Businesses are equipping their developers with the right tools and training, as well as embedding SCW as part of their SSDLC workflow.
Cybersecurity best practice has been a hot-button issue for more than a decade, discussed frequently at a government level in most regions all over the world. Cyberattacks are essentially a daily reality, and any entity storing valuable private data online is a potential target. In Germany alone, the Federal Ministry of Education and Research estimates that 96 percent of all small and medium-sized enterprises have already experienced an IT security incident. The same report highlights the urgent need for cybersecurity research, legislation and awareness, with a definitive callout for the inclusion of more robust security training in computer science and IT-related fields.
With the advent of GDPR, as well as a revised strategy following a multi-stage attack that exposed the sensitive data of many public figures - as well as servers in the German federal government - it is clear that cybersecurity awareness and action are front-of-mind for leaders in the DACH region. The late-2018 hack was executed by a 20-year-old student of relatively low skill, with his main access point to highly sensitive information made possible through simply guessing passwords. While this was an extremely concerning authentication exploit, it did highlight the need for far better security awareness at government, business, and societal levels. A 2019 report highlighted that Germany was falling behind in terms of cybersecurity defense initiatives, relying on legislation as the main tactic. However, with the arrival of DevSecOps as an ideal development methodology, many businesses have recognized the need for practical training, secure-by-design software creation, and company-wide security awareness programs.
The software security heartbeat in DACH
Organizations like OWASP and MITRE publish data-verified rankings of the most frequently occurring vulnerabilities. Across all languages, SQL injection ranks at number one, and despite it being decades old it is a common flaw and often exploited with disastrous consequences.
Swiss BPC banking software, SmartVista, was alerted to a SQLi vulnerability by SwissCERT, however, it remained unpatched for months despite its potential to expose sensitive customer data, including credit card numbers. SQL injection can and does lead to dangerous breaches, just like the 2017 breach of multiple government departments and universities in the US and UK. Many of these incidents are caused by lax input validation processes, allowing an attacker to insert malicious code from the front-end of an application. Another common vulnerability source is using insecure vendor code that goes unchecked for security bugs, and flaws are thus introduced into a previously scanned and cleared production environment. Neither of these access points is specific to the DACH region, rather, they are global examples of poor security practices that cannot continue as the world produces more code.
It is imperative to patch issues as soon as they are discovered, and SmartVista's decision to drag their feet could have been a disaster. While DACH has had its share of breaches, more focused guidelines and support in security awareness and training could prevent potential issues at the organizational level getting out of hand, and this will require legislation that is far more specific in driving assessed training for developers.
Not all secure code training is created equal.
Many cybersecurity directives around the world are becoming more comprehensive, however, they remain rather nonspecific when it comes to outlining effective security training. The NIS directive in the EU does include the requirement for "awareness-raising, training and education" at a national level, but rushing into a training solution may not have the desired outcome of tangible risk reduction if it is missing key elements that drive upskilling developers and organizational change.
Education solutions vary, and training must be specific to the developer's day job (including the ability to learn in their preferred language and framework) as well as remain engaging and measurable over time.
Static training solutions, such a computer-based video training is often too generic, and rarely revisited or assessed on its success in driving the awareness and skill to stop vulnerabilities entering code as it is being written. Dynamic training, however, is vital in upskilling developers with contextual examples, in addition to providing metrics that influence business mitigation processes. It is updated frequently, promotes a high level of knowledge retention and is part of building security-aware developers that contribute to a positive security culture in their workplace.
Secure Code Warrior data points from DACH pilots:
Secure Code Warrior's Ema Rimeike, Sales Director (MSc in Cyber Security) has been working closely with organizations in the DACH region, running pilot programs for developers to gauge in-house secure coding competency among developers, their engagement with security best practice, as well as the overall security culture of the business. Utilizing gamified, dynamic secure code training, her key findings reveal a bright future when developers are given the knowledge and tools that foster successful vulnerability reduction from the start of the SDLC.
During her pilot programs, she collated statistics based on an average of 90 minutes spent per user on the Secure Code Warrior (SCW) platform, in which they played 15 secure coding challenges (bite-sized, gamified and self-paced lessons):
Users spent an average time of 5.5 minutes to complete one challenge, versus 3 minutes on average for other global SCW pilots.
- Accuracy vs.Confidence: The DACH pilots registered an average percentage of between 88-92% for confidence in their answers to challenges, yet the accuracy of these answers sat between 53-66%
- Over 75% of surveyed participants prefer gamified - or dynamic - training methods, in contrast to static approaches like computer-based training (CBT).
- Amongst the most frequently seen vulnerabilities, we saw Injection Flaws, Security Misconfiguration, Cross-Site Scripting (XSS), Improper Platform Usage, Access Control, Authentication, Memory Corruption, Cross Site Request Forgery, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards
It is no secret that, in general, a strong work ethic and focus on precision is valued by many in the DACH region, and the developers trying the pilot program are no exception. These data points speak to their unfamiliarity with this type of training, but also a desire to keep playing, improve their score and avoid using the "hint" feature available. Their desire to learn and improve is evident, but it also shows that more work must be done to implement effective training and awareness within the organization itself.
Great training that reduces risk and thwarts vulnerabilities is not a one-off exercise, and it's more than compliance. An effort must be made by managers and AppSec personnel to roll out a security awareness program with strategy and support that reflects core security goals and seeks to maintain them long-term. This is, in effect, the backbone of a successful DevSecOps process with security-aware developers.
What does a pilot program reveal to an organization?
Secure Code Warrior's pilot programs are an incredibly valuable tool in giving businesses a snapshot of their current security health, (usually between 65-75 %), as well as areas for immediate improvement. They reveal:
- Clarity on which vulnerabilities must be addressed as a priority, as well as whether this direction should be applied to a particular team, business unit, or programming language
- An accurate, wider scope of intelligence on the cybersecurity risk factors within their SDLC, encompassing the human factor of software development.
- By leveraging the SCW platform, organizations could predict the potential outcome of pen-testing, and have the opportunity to mitigate those risks up-front, preparing teams before they are even assigned to a specific project.
In organizations that have begun rolling out comprehensive and effective security programs, typically 1-1.5 hours per week of professional development is approved at the management level, to help their developers upskill their secure coding knowledge. However, we are noticing that organisations are moving away from the "time spent on platform'focus to "which software development teams are posing the highest and the lowest risk to the business'. This is tightly linked to formalized certification/belting, the discovery of security champions and mentoring programs for best results. The allocation of time, plus constructive and positive assessment is absolutely key to creating security-aware developers that not only like security, but measurably reduce risk to the business.
How do organizations already use Secure Code Warrior?
Several businesses are already using Secure Code Warrior to create awareness, build developers'skills and scale a positive security culture.
For instance, in one use case, a team training on the platform used SCW to reveal their security strengths and weaknesses:
Developer action: Developers were able to see their own results, showing the areas they should be focusing on and empowered to self-direct, and pace the training to mitigate specific vulnerabilities or knowledge gaps that will assist them in future software builds.
Management action: They analyzed overall strengths and weaknesses at the team level, and were able to prescribe a gamified approach that addresses the specific areas of concern. This created a two-way educational pathway that builds relevant knowledge quickly.
Outcome: Once pentesting at the team level is performed, any vulnerabilities are visible, and comparing previous results made it easy to validate whether training had been effective in reducing common security bugs.
This leads back to the initial stages of software development, wherein pre-training team goals of continuous improvement and introducing security best practices at the start can be effective, easy to roll out, and save time across the entire development scope.
DevSecOps Project Teams
In an ideal DevSecOps environment, multiple business units are represented in a project team to decide upon and deliver core outcomes, one of which is security best practices.
In terms of pre-project research and planning, the SCW platform can evaluate the security skills of the proposed development team before it commences work, predicting eventual pentesting results, and security-related delays in the SDLC with more than enough time to adequately prepare for them. Training specific to the project code and structure can be created for the team to work through, including an assessment/certification process that verifies overall security awareness skills, requiring a preset pass mark before they are set free on the project deliverables.
This offers an approach of immense business value in reducing the cost of fixing vulnerabilities, mitigating security risks, saving time in pentesting, reducing the cost of expensive bounty programs and upskilling the development cohort in a centralised, sustainable, scalable and unified way.
Conclusion:
There is increased pressure on businesses to prioritize security, keep our data safe and comply with increasingly tight regulations globally, but especially for organizations trading in the EU under strict GDPR guidelines.
For companies in the DACH region, it is clear that they are making viable security pathways by connecting training effort and outcomes to real-world activities related to the prevention of risks; including the reduction of common vulnerabilities in the code they produce.
To build a truly quantifiable business case for increased security budgets, awareness and overall compliance, training must be engaging for developers, consistent, adaptable and measurable. Tracking current stages of ability to tailor the right training, uncovering security champions and measuring team performance over time are all vital initiatives, and many forward-thinking companies across DACH are realizing the benefits following a comprehensive SCW pilot.
Many companies struggle with security performance metrics that are too generic. With longer-term, consistent use of the SCW platform, businesses could utilize precision assessments, courses, and management metrics to discover:
- Reduction in vulnerabilities over time
- Reduction in cost to fix vulnerabilities over time
- Individual and team skill development over time
- Cost and time reduction at the pentesting stage
What metrics does your organization currently track, how often are they remeasured, and have they shown marked improvement over time? How integrated are your training initiatives in terms of existing developer workflow?
SCW's dynamic, gamified and comprehensive approach is seen as a crucial part of the Secure Software Development Life Cycle workflow. Businesses are equipping their developers with the right tools and training, as well as embedding SCW as part of their SSDLC workflow.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Cybersecurity best practice has been a hot-button issue for more than a decade, discussed frequently at a government level in most regions all over the world. Cyberattacks are essentially a daily reality, and any entity storing valuable private data online is a potential target. In Germany alone, the Federal Ministry of Education and Research estimates that 96 percent of all small and medium-sized enterprises have already experienced an IT security incident. The same report highlights the urgent need for cybersecurity research, legislation and awareness, with a definitive callout for the inclusion of more robust security training in computer science and IT-related fields.
With the advent of GDPR, as well as a revised strategy following a multi-stage attack that exposed the sensitive data of many public figures - as well as servers in the German federal government - it is clear that cybersecurity awareness and action are front-of-mind for leaders in the DACH region. The late-2018 hack was executed by a 20-year-old student of relatively low skill, with his main access point to highly sensitive information made possible through simply guessing passwords. While this was an extremely concerning authentication exploit, it did highlight the need for far better security awareness at government, business, and societal levels. A 2019 report highlighted that Germany was falling behind in terms of cybersecurity defense initiatives, relying on legislation as the main tactic. However, with the arrival of DevSecOps as an ideal development methodology, many businesses have recognized the need for practical training, secure-by-design software creation, and company-wide security awareness programs.
The software security heartbeat in DACH
Organizations like OWASP and MITRE publish data-verified rankings of the most frequently occurring vulnerabilities. Across all languages, SQL injection ranks at number one, and despite it being decades old it is a common flaw and often exploited with disastrous consequences.
Swiss BPC banking software, SmartVista, was alerted to a SQLi vulnerability by SwissCERT, however, it remained unpatched for months despite its potential to expose sensitive customer data, including credit card numbers. SQL injection can and does lead to dangerous breaches, just like the 2017 breach of multiple government departments and universities in the US and UK. Many of these incidents are caused by lax input validation processes, allowing an attacker to insert malicious code from the front-end of an application. Another common vulnerability source is using insecure vendor code that goes unchecked for security bugs, and flaws are thus introduced into a previously scanned and cleared production environment. Neither of these access points is specific to the DACH region, rather, they are global examples of poor security practices that cannot continue as the world produces more code.
It is imperative to patch issues as soon as they are discovered, and SmartVista's decision to drag their feet could have been a disaster. While DACH has had its share of breaches, more focused guidelines and support in security awareness and training could prevent potential issues at the organizational level getting out of hand, and this will require legislation that is far more specific in driving assessed training for developers.
Not all secure code training is created equal.
Many cybersecurity directives around the world are becoming more comprehensive, however, they remain rather nonspecific when it comes to outlining effective security training. The NIS directive in the EU does include the requirement for "awareness-raising, training and education" at a national level, but rushing into a training solution may not have the desired outcome of tangible risk reduction if it is missing key elements that drive upskilling developers and organizational change.
Education solutions vary, and training must be specific to the developer's day job (including the ability to learn in their preferred language and framework) as well as remain engaging and measurable over time.
Static training solutions, such a computer-based video training is often too generic, and rarely revisited or assessed on its success in driving the awareness and skill to stop vulnerabilities entering code as it is being written. Dynamic training, however, is vital in upskilling developers with contextual examples, in addition to providing metrics that influence business mitigation processes. It is updated frequently, promotes a high level of knowledge retention and is part of building security-aware developers that contribute to a positive security culture in their workplace.
Secure Code Warrior data points from DACH pilots:
Secure Code Warrior's Ema Rimeike, Sales Director (MSc in Cyber Security) has been working closely with organizations in the DACH region, running pilot programs for developers to gauge in-house secure coding competency among developers, their engagement with security best practice, as well as the overall security culture of the business. Utilizing gamified, dynamic secure code training, her key findings reveal a bright future when developers are given the knowledge and tools that foster successful vulnerability reduction from the start of the SDLC.
During her pilot programs, she collated statistics based on an average of 90 minutes spent per user on the Secure Code Warrior (SCW) platform, in which they played 15 secure coding challenges (bite-sized, gamified and self-paced lessons):
Users spent an average time of 5.5 minutes to complete one challenge, versus 3 minutes on average for other global SCW pilots.
- Accuracy vs.Confidence: The DACH pilots registered an average percentage of between 88-92% for confidence in their answers to challenges, yet the accuracy of these answers sat between 53-66%
- Over 75% of surveyed participants prefer gamified - or dynamic - training methods, in contrast to static approaches like computer-based training (CBT).
- Amongst the most frequently seen vulnerabilities, we saw Injection Flaws, Security Misconfiguration, Cross-Site Scripting (XSS), Improper Platform Usage, Access Control, Authentication, Memory Corruption, Cross Site Request Forgery, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards
It is no secret that, in general, a strong work ethic and focus on precision is valued by many in the DACH region, and the developers trying the pilot program are no exception. These data points speak to their unfamiliarity with this type of training, but also a desire to keep playing, improve their score and avoid using the "hint" feature available. Their desire to learn and improve is evident, but it also shows that more work must be done to implement effective training and awareness within the organization itself.
Great training that reduces risk and thwarts vulnerabilities is not a one-off exercise, and it's more than compliance. An effort must be made by managers and AppSec personnel to roll out a security awareness program with strategy and support that reflects core security goals and seeks to maintain them long-term. This is, in effect, the backbone of a successful DevSecOps process with security-aware developers.
What does a pilot program reveal to an organization?
Secure Code Warrior's pilot programs are an incredibly valuable tool in giving businesses a snapshot of their current security health, (usually between 65-75 %), as well as areas for immediate improvement. They reveal:
- Clarity on which vulnerabilities must be addressed as a priority, as well as whether this direction should be applied to a particular team, business unit, or programming language
- An accurate, wider scope of intelligence on the cybersecurity risk factors within their SDLC, encompassing the human factor of software development.
- By leveraging the SCW platform, organizations could predict the potential outcome of pen-testing, and have the opportunity to mitigate those risks up-front, preparing teams before they are even assigned to a specific project.
In organizations that have begun rolling out comprehensive and effective security programs, typically 1-1.5 hours per week of professional development is approved at the management level, to help their developers upskill their secure coding knowledge. However, we are noticing that organisations are moving away from the "time spent on platform'focus to "which software development teams are posing the highest and the lowest risk to the business'. This is tightly linked to formalized certification/belting, the discovery of security champions and mentoring programs for best results. The allocation of time, plus constructive and positive assessment is absolutely key to creating security-aware developers that not only like security, but measurably reduce risk to the business.
How do organizations already use Secure Code Warrior?
Several businesses are already using Secure Code Warrior to create awareness, build developers'skills and scale a positive security culture.
For instance, in one use case, a team training on the platform used SCW to reveal their security strengths and weaknesses:
Developer action: Developers were able to see their own results, showing the areas they should be focusing on and empowered to self-direct, and pace the training to mitigate specific vulnerabilities or knowledge gaps that will assist them in future software builds.
Management action: They analyzed overall strengths and weaknesses at the team level, and were able to prescribe a gamified approach that addresses the specific areas of concern. This created a two-way educational pathway that builds relevant knowledge quickly.
Outcome: Once pentesting at the team level is performed, any vulnerabilities are visible, and comparing previous results made it easy to validate whether training had been effective in reducing common security bugs.
This leads back to the initial stages of software development, wherein pre-training team goals of continuous improvement and introducing security best practices at the start can be effective, easy to roll out, and save time across the entire development scope.
DevSecOps Project Teams
In an ideal DevSecOps environment, multiple business units are represented in a project team to decide upon and deliver core outcomes, one of which is security best practices.
In terms of pre-project research and planning, the SCW platform can evaluate the security skills of the proposed development team before it commences work, predicting eventual pentesting results, and security-related delays in the SDLC with more than enough time to adequately prepare for them. Training specific to the project code and structure can be created for the team to work through, including an assessment/certification process that verifies overall security awareness skills, requiring a preset pass mark before they are set free on the project deliverables.
This offers an approach of immense business value in reducing the cost of fixing vulnerabilities, mitigating security risks, saving time in pentesting, reducing the cost of expensive bounty programs and upskilling the development cohort in a centralised, sustainable, scalable and unified way.
Conclusion:
There is increased pressure on businesses to prioritize security, keep our data safe and comply with increasingly tight regulations globally, but especially for organizations trading in the EU under strict GDPR guidelines.
For companies in the DACH region, it is clear that they are making viable security pathways by connecting training effort and outcomes to real-world activities related to the prevention of risks; including the reduction of common vulnerabilities in the code they produce.
To build a truly quantifiable business case for increased security budgets, awareness and overall compliance, training must be engaging for developers, consistent, adaptable and measurable. Tracking current stages of ability to tailor the right training, uncovering security champions and measuring team performance over time are all vital initiatives, and many forward-thinking companies across DACH are realizing the benefits following a comprehensive SCW pilot.
Many companies struggle with security performance metrics that are too generic. With longer-term, consistent use of the SCW platform, businesses could utilize precision assessments, courses, and management metrics to discover:
- Reduction in vulnerabilities over time
- Reduction in cost to fix vulnerabilities over time
- Individual and team skill development over time
- Cost and time reduction at the pentesting stage
What metrics does your organization currently track, how often are they remeasured, and have they shown marked improvement over time? How integrated are your training initiatives in terms of existing developer workflow?
SCW's dynamic, gamified and comprehensive approach is seen as a crucial part of the Secure Software Development Life Cycle workflow. Businesses are equipping their developers with the right tools and training, as well as embedding SCW as part of their SSDLC workflow.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.