Secure development should be AppSec’s immune system
As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind?
Most likely you’re doing some or even all of the following:
- Reviewing all code for security flaws and reporting them back to the development team to fix.
- Enforcing a strict peer review process throughout your secure development lifecycle.
- Having regular application assessment/penetration tests done by internal or external security teams.
- Implementing scanning tools to pick up on vulnerabilities.
These are great best practices, but they’re also expensive and similar to taking a round of antibiotics every time you get sick. Not only does that come with a high cost, it loses efficacy and can weaken your immune system over time.
How do you go about actually ensuring the code that developers ship is written securely in the first place?
Secure coding aside, first think about how people learn. Most of us are visual learners and we learn through doing. And yet secure code training is often provided as a ‘tick-the-box’ activity and is not relevant to a developer’s daily work. It’s designed to prove that developers have undergone security training often to comply with industry standards, and not for developers to actually retain that knowledge, let alone enjoy the learning process.
Another way humans tend to learn is through our mistakes in the same way that our immune system does. T-Cells remember what sort of pathogens they have encountered and successfully eradicated in the past, so that they can protect against them in the future. This is exactly the role that developers should play in your secure SDLC.
It’s unrealistic to expect them not to make mistakes, but you can prepare them in a way to be able to recognize coding patterns that will translate to security vulnerabilities in the future.
This is also how a robust peer review process becomes so powerful. Just because one developer doesn’t notice a security flaw, does not mean that another won’t. And the better trained the development team is as a whole, the more likely vulnerabilities will be caught in their tracks and never make it to production.
Software vulnerabilities are like pathogens
Software vulnerabilities are like pathogens in the sense that you have to remember them in order to fight them. With pathogens, our immune system often needs to be exposed multiple times before it remembers how to fight it in order to avoid severe sickness or worse.
A successful cyber attack from vulnerable software can severely cripple or kill an organization. But if developers are introduced to software vulnerabilities first in a controlled environment, they can work to build immunity to the threats by increasing and regularly practicing their secure coding knowledge and skills.
Expose developers to security flaws in a controlled environment
We can never fully protect ourselves from getting sick, but there are things we can do to boost our immune systems and stay as healthy as possible. Things like regular exercise, healthy eating, and plenty of sleep are amongst the lifestyle choices commonly associated with a strong immune system. But all of those things require a bit of effort and they must be continuous. Going on a jog every day for a week or giving up drinking for a month will barely make a dent in your overall health. It’s also not advisable to go out and run a 10k the first day we take up running. We first need to expose our hearts and muscles to the exercise. We also know that it takes a bit of experimenting until we find a good balance for our body and healthy foods and exercises that we love.
It’s not so different when it comes to secure software development. Learning happens over time and with practice, and developers need the same on-going training to regularly boost their secure coding skills. Not to mention, software development is always evolving and adapting, meaning the vulnerabilities are too. That’s why a simple training course is not enough. Developers need regular upskilling in order to be familiar enough with potential threats to be properly equipped to defend against them.
Aim to achieve herd immunity within the development team
A single person can’t prevent any and all security issues. It’s great to have security champions on the team, but to get the best protection, the more people that have learned about security vulnerabilities and how to prevent them, the better chance your organization has in preventing them. Again it’s not much different than how the immune system has different types of T-Cells for different purposes. Every single developer is part of a team that ensures security. If they’re empowered to take responsibility, do it well, and even enjoy doing it, then you can create herd immunity against cyber threats within the development team as a result.
Keep security top of mind with repeat exposure
Our brains learn in a similar way that our immune systems work. German psychologist Hermann Ebbinghaus was a pioneer in the field of memory and learning. He deduced that learning has to occur over time and with multiple learning sessions. When we’re in school, we’re never expected to maintain new knowledge after the first introduction. First the information is presented to us, then we practice it with guidance, and then we practice it on our own. And even after we have learned it well enough to pass an exam, the information tends to be forgotten shortly after if we don’t regularly use the knowledge we have spent the time and effort to learn. How many of us can claim we remember our high school French?
So how can we possibly believe that a single day of looking at slides and listening to someone talk about security would actually lead to those developers in attendance coding more securely?
Patterns of recurring vulnerabilities show us that this simply doesn’t work.
How do you achieve secure development immunity?
The answer lies in our nature. Our bodies and minds work the same way and they provide beautiful solutions to problems, as long as we work with them and not against them.
To ensure that your applications are secure, you need to start with upskilling developers to write secure code. Otherwise AppSec will continue to spend all of their time reviewing all code for security flaws and reporting the same recurring vulnerabilities back to development only to be quickly fixed with nothing learned. And then do it all over again for the next release.
So let’s reiterate.
If you work together with your development managers to do that, you’ll not only be implementing a secure SDLC and ticking the security training requirement for compliance box, you’ll be making a real-world impact on the development process. To put a cherry on top of it all, AppSec will no longer be encountering and reporting repeat vulnerabilities back to development teams and developers will spend less time fixing them. That means they can spend more time creating and improving the amazing software that makes our world better.
Ready to upskill your development team? Go ahead and book a demo with us.
As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind?
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Agile Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed.
As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind?
Most likely you’re doing some or even all of the following:
- Reviewing all code for security flaws and reporting them back to the development team to fix.
- Enforcing a strict peer review process throughout your secure development lifecycle.
- Having regular application assessment/penetration tests done by internal or external security teams.
- Implementing scanning tools to pick up on vulnerabilities.
These are great best practices, but they’re also expensive and similar to taking a round of antibiotics every time you get sick. Not only does that come with a high cost, it loses efficacy and can weaken your immune system over time.
How do you go about actually ensuring the code that developers ship is written securely in the first place?
Secure coding aside, first think about how people learn. Most of us are visual learners and we learn through doing. And yet secure code training is often provided as a ‘tick-the-box’ activity and is not relevant to a developer’s daily work. It’s designed to prove that developers have undergone security training often to comply with industry standards, and not for developers to actually retain that knowledge, let alone enjoy the learning process.
Another way humans tend to learn is through our mistakes in the same way that our immune system does. T-Cells remember what sort of pathogens they have encountered and successfully eradicated in the past, so that they can protect against them in the future. This is exactly the role that developers should play in your secure SDLC.
It’s unrealistic to expect them not to make mistakes, but you can prepare them in a way to be able to recognize coding patterns that will translate to security vulnerabilities in the future.
This is also how a robust peer review process becomes so powerful. Just because one developer doesn’t notice a security flaw, does not mean that another won’t. And the better trained the development team is as a whole, the more likely vulnerabilities will be caught in their tracks and never make it to production.
Software vulnerabilities are like pathogens
Software vulnerabilities are like pathogens in the sense that you have to remember them in order to fight them. With pathogens, our immune system often needs to be exposed multiple times before it remembers how to fight it in order to avoid severe sickness or worse.
A successful cyber attack from vulnerable software can severely cripple or kill an organization. But if developers are introduced to software vulnerabilities first in a controlled environment, they can work to build immunity to the threats by increasing and regularly practicing their secure coding knowledge and skills.
Expose developers to security flaws in a controlled environment
We can never fully protect ourselves from getting sick, but there are things we can do to boost our immune systems and stay as healthy as possible. Things like regular exercise, healthy eating, and plenty of sleep are amongst the lifestyle choices commonly associated with a strong immune system. But all of those things require a bit of effort and they must be continuous. Going on a jog every day for a week or giving up drinking for a month will barely make a dent in your overall health. It’s also not advisable to go out and run a 10k the first day we take up running. We first need to expose our hearts and muscles to the exercise. We also know that it takes a bit of experimenting until we find a good balance for our body and healthy foods and exercises that we love.
It’s not so different when it comes to secure software development. Learning happens over time and with practice, and developers need the same on-going training to regularly boost their secure coding skills. Not to mention, software development is always evolving and adapting, meaning the vulnerabilities are too. That’s why a simple training course is not enough. Developers need regular upskilling in order to be familiar enough with potential threats to be properly equipped to defend against them.
Aim to achieve herd immunity within the development team
A single person can’t prevent any and all security issues. It’s great to have security champions on the team, but to get the best protection, the more people that have learned about security vulnerabilities and how to prevent them, the better chance your organization has in preventing them. Again it’s not much different than how the immune system has different types of T-Cells for different purposes. Every single developer is part of a team that ensures security. If they’re empowered to take responsibility, do it well, and even enjoy doing it, then you can create herd immunity against cyber threats within the development team as a result.
Keep security top of mind with repeat exposure
Our brains learn in a similar way that our immune systems work. German psychologist Hermann Ebbinghaus was a pioneer in the field of memory and learning. He deduced that learning has to occur over time and with multiple learning sessions. When we’re in school, we’re never expected to maintain new knowledge after the first introduction. First the information is presented to us, then we practice it with guidance, and then we practice it on our own. And even after we have learned it well enough to pass an exam, the information tends to be forgotten shortly after if we don’t regularly use the knowledge we have spent the time and effort to learn. How many of us can claim we remember our high school French?
So how can we possibly believe that a single day of looking at slides and listening to someone talk about security would actually lead to those developers in attendance coding more securely?
Patterns of recurring vulnerabilities show us that this simply doesn’t work.
How do you achieve secure development immunity?
The answer lies in our nature. Our bodies and minds work the same way and they provide beautiful solutions to problems, as long as we work with them and not against them.
To ensure that your applications are secure, you need to start with upskilling developers to write secure code. Otherwise AppSec will continue to spend all of their time reviewing all code for security flaws and reporting the same recurring vulnerabilities back to development only to be quickly fixed with nothing learned. And then do it all over again for the next release.
So let’s reiterate.
If you work together with your development managers to do that, you’ll not only be implementing a secure SDLC and ticking the security training requirement for compliance box, you’ll be making a real-world impact on the development process. To put a cherry on top of it all, AppSec will no longer be encountering and reporting repeat vulnerabilities back to development teams and developers will spend less time fixing them. That means they can spend more time creating and improving the amazing software that makes our world better.
Ready to upskill your development team? Go ahead and book a demo with us.
As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind?
Most likely you’re doing some or even all of the following:
- Reviewing all code for security flaws and reporting them back to the development team to fix.
- Enforcing a strict peer review process throughout your secure development lifecycle.
- Having regular application assessment/penetration tests done by internal or external security teams.
- Implementing scanning tools to pick up on vulnerabilities.
These are great best practices, but they’re also expensive and similar to taking a round of antibiotics every time you get sick. Not only does that come with a high cost, it loses efficacy and can weaken your immune system over time.
How do you go about actually ensuring the code that developers ship is written securely in the first place?
Secure coding aside, first think about how people learn. Most of us are visual learners and we learn through doing. And yet secure code training is often provided as a ‘tick-the-box’ activity and is not relevant to a developer’s daily work. It’s designed to prove that developers have undergone security training often to comply with industry standards, and not for developers to actually retain that knowledge, let alone enjoy the learning process.
Another way humans tend to learn is through our mistakes in the same way that our immune system does. T-Cells remember what sort of pathogens they have encountered and successfully eradicated in the past, so that they can protect against them in the future. This is exactly the role that developers should play in your secure SDLC.
It’s unrealistic to expect them not to make mistakes, but you can prepare them in a way to be able to recognize coding patterns that will translate to security vulnerabilities in the future.
This is also how a robust peer review process becomes so powerful. Just because one developer doesn’t notice a security flaw, does not mean that another won’t. And the better trained the development team is as a whole, the more likely vulnerabilities will be caught in their tracks and never make it to production.
Software vulnerabilities are like pathogens
Software vulnerabilities are like pathogens in the sense that you have to remember them in order to fight them. With pathogens, our immune system often needs to be exposed multiple times before it remembers how to fight it in order to avoid severe sickness or worse.
A successful cyber attack from vulnerable software can severely cripple or kill an organization. But if developers are introduced to software vulnerabilities first in a controlled environment, they can work to build immunity to the threats by increasing and regularly practicing their secure coding knowledge and skills.
Expose developers to security flaws in a controlled environment
We can never fully protect ourselves from getting sick, but there are things we can do to boost our immune systems and stay as healthy as possible. Things like regular exercise, healthy eating, and plenty of sleep are amongst the lifestyle choices commonly associated with a strong immune system. But all of those things require a bit of effort and they must be continuous. Going on a jog every day for a week or giving up drinking for a month will barely make a dent in your overall health. It’s also not advisable to go out and run a 10k the first day we take up running. We first need to expose our hearts and muscles to the exercise. We also know that it takes a bit of experimenting until we find a good balance for our body and healthy foods and exercises that we love.
It’s not so different when it comes to secure software development. Learning happens over time and with practice, and developers need the same on-going training to regularly boost their secure coding skills. Not to mention, software development is always evolving and adapting, meaning the vulnerabilities are too. That’s why a simple training course is not enough. Developers need regular upskilling in order to be familiar enough with potential threats to be properly equipped to defend against them.
Aim to achieve herd immunity within the development team
A single person can’t prevent any and all security issues. It’s great to have security champions on the team, but to get the best protection, the more people that have learned about security vulnerabilities and how to prevent them, the better chance your organization has in preventing them. Again it’s not much different than how the immune system has different types of T-Cells for different purposes. Every single developer is part of a team that ensures security. If they’re empowered to take responsibility, do it well, and even enjoy doing it, then you can create herd immunity against cyber threats within the development team as a result.
Keep security top of mind with repeat exposure
Our brains learn in a similar way that our immune systems work. German psychologist Hermann Ebbinghaus was a pioneer in the field of memory and learning. He deduced that learning has to occur over time and with multiple learning sessions. When we’re in school, we’re never expected to maintain new knowledge after the first introduction. First the information is presented to us, then we practice it with guidance, and then we practice it on our own. And even after we have learned it well enough to pass an exam, the information tends to be forgotten shortly after if we don’t regularly use the knowledge we have spent the time and effort to learn. How many of us can claim we remember our high school French?
So how can we possibly believe that a single day of looking at slides and listening to someone talk about security would actually lead to those developers in attendance coding more securely?
Patterns of recurring vulnerabilities show us that this simply doesn’t work.
How do you achieve secure development immunity?
The answer lies in our nature. Our bodies and minds work the same way and they provide beautiful solutions to problems, as long as we work with them and not against them.
To ensure that your applications are secure, you need to start with upskilling developers to write secure code. Otherwise AppSec will continue to spend all of their time reviewing all code for security flaws and reporting the same recurring vulnerabilities back to development only to be quickly fixed with nothing learned. And then do it all over again for the next release.
So let’s reiterate.
If you work together with your development managers to do that, you’ll not only be implementing a secure SDLC and ticking the security training requirement for compliance box, you’ll be making a real-world impact on the development process. To put a cherry on top of it all, AppSec will no longer be encountering and reporting repeat vulnerabilities back to development teams and developers will spend less time fixing them. That means they can spend more time creating and improving the amazing software that makes our world better.
Ready to upskill your development team? Go ahead and book a demo with us.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Agile Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed.
As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind?
Most likely you’re doing some or even all of the following:
- Reviewing all code for security flaws and reporting them back to the development team to fix.
- Enforcing a strict peer review process throughout your secure development lifecycle.
- Having regular application assessment/penetration tests done by internal or external security teams.
- Implementing scanning tools to pick up on vulnerabilities.
These are great best practices, but they’re also expensive and similar to taking a round of antibiotics every time you get sick. Not only does that come with a high cost, it loses efficacy and can weaken your immune system over time.
How do you go about actually ensuring the code that developers ship is written securely in the first place?
Secure coding aside, first think about how people learn. Most of us are visual learners and we learn through doing. And yet secure code training is often provided as a ‘tick-the-box’ activity and is not relevant to a developer’s daily work. It’s designed to prove that developers have undergone security training often to comply with industry standards, and not for developers to actually retain that knowledge, let alone enjoy the learning process.
Another way humans tend to learn is through our mistakes in the same way that our immune system does. T-Cells remember what sort of pathogens they have encountered and successfully eradicated in the past, so that they can protect against them in the future. This is exactly the role that developers should play in your secure SDLC.
It’s unrealistic to expect them not to make mistakes, but you can prepare them in a way to be able to recognize coding patterns that will translate to security vulnerabilities in the future.
This is also how a robust peer review process becomes so powerful. Just because one developer doesn’t notice a security flaw, does not mean that another won’t. And the better trained the development team is as a whole, the more likely vulnerabilities will be caught in their tracks and never make it to production.
Software vulnerabilities are like pathogens
Software vulnerabilities are like pathogens in the sense that you have to remember them in order to fight them. With pathogens, our immune system often needs to be exposed multiple times before it remembers how to fight it in order to avoid severe sickness or worse.
A successful cyber attack from vulnerable software can severely cripple or kill an organization. But if developers are introduced to software vulnerabilities first in a controlled environment, they can work to build immunity to the threats by increasing and regularly practicing their secure coding knowledge and skills.
Expose developers to security flaws in a controlled environment
We can never fully protect ourselves from getting sick, but there are things we can do to boost our immune systems and stay as healthy as possible. Things like regular exercise, healthy eating, and plenty of sleep are amongst the lifestyle choices commonly associated with a strong immune system. But all of those things require a bit of effort and they must be continuous. Going on a jog every day for a week or giving up drinking for a month will barely make a dent in your overall health. It’s also not advisable to go out and run a 10k the first day we take up running. We first need to expose our hearts and muscles to the exercise. We also know that it takes a bit of experimenting until we find a good balance for our body and healthy foods and exercises that we love.
It’s not so different when it comes to secure software development. Learning happens over time and with practice, and developers need the same on-going training to regularly boost their secure coding skills. Not to mention, software development is always evolving and adapting, meaning the vulnerabilities are too. That’s why a simple training course is not enough. Developers need regular upskilling in order to be familiar enough with potential threats to be properly equipped to defend against them.
Aim to achieve herd immunity within the development team
A single person can’t prevent any and all security issues. It’s great to have security champions on the team, but to get the best protection, the more people that have learned about security vulnerabilities and how to prevent them, the better chance your organization has in preventing them. Again it’s not much different than how the immune system has different types of T-Cells for different purposes. Every single developer is part of a team that ensures security. If they’re empowered to take responsibility, do it well, and even enjoy doing it, then you can create herd immunity against cyber threats within the development team as a result.
Keep security top of mind with repeat exposure
Our brains learn in a similar way that our immune systems work. German psychologist Hermann Ebbinghaus was a pioneer in the field of memory and learning. He deduced that learning has to occur over time and with multiple learning sessions. When we’re in school, we’re never expected to maintain new knowledge after the first introduction. First the information is presented to us, then we practice it with guidance, and then we practice it on our own. And even after we have learned it well enough to pass an exam, the information tends to be forgotten shortly after if we don’t regularly use the knowledge we have spent the time and effort to learn. How many of us can claim we remember our high school French?
So how can we possibly believe that a single day of looking at slides and listening to someone talk about security would actually lead to those developers in attendance coding more securely?
Patterns of recurring vulnerabilities show us that this simply doesn’t work.
How do you achieve secure development immunity?
The answer lies in our nature. Our bodies and minds work the same way and they provide beautiful solutions to problems, as long as we work with them and not against them.
To ensure that your applications are secure, you need to start with upskilling developers to write secure code. Otherwise AppSec will continue to spend all of their time reviewing all code for security flaws and reporting the same recurring vulnerabilities back to development only to be quickly fixed with nothing learned. And then do it all over again for the next release.
So let’s reiterate.
If you work together with your development managers to do that, you’ll not only be implementing a secure SDLC and ticking the security training requirement for compliance box, you’ll be making a real-world impact on the development process. To put a cherry on top of it all, AppSec will no longer be encountering and reporting repeat vulnerabilities back to development teams and developers will spend less time fixing them. That means they can spend more time creating and improving the amazing software that makes our world better.
Ready to upskill your development team? Go ahead and book a demo with us.
Table of contents
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
