The future of work is flexible, and it's great for cybersecurity
A version of this article appeared in TFIR. It has been updated and syndicated here.
They say change is the only constant in life, but 2020 has really brought a test for many all over the world. The global COVID-19 pandemic has forced us to think - at a deep level - about how we connect. Self-isolation, social distancing - these have been some of the adaptations we've made in the physical world, and despite the fact that so many of us spend so much time online, it's quite a different scenario to not have any other choice when it comes to communicating and, if possible, working. It is all at once a tragedy, and an awakening.
Like many tech companies, flexible working is not new to us and working from home is one of the perks of the job. Even as "early" as 2009, I was working remotely from Belgium for companies in Silicon Valley. The technology was way less advanced back then, but it was still doable. Even for us right now, however, it was an adjustment to have every single team member working from home until further notice. I have seen so many companies make this decision as well, including many who were not as prepared as others for managing a remote workforce.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not "believing" in remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times. This current crisis has left many with no choice but to ignite a remote workforce, as the alternative is a complete shutdown of business amidst a chaotic economic climate.
If there is one positive we can take from this tragedy, it's that people will have seen the benefit of a digital workforce, and the myriad of ways in which a team can connect despite not being physically together. And the cybersecurity industry is one that can truly thrive from a work-anywhere, always-on approach.
Attackers didn't go into lockdown - they're abundantly active and taking advantage of this crisis, leveraging worldwide panic and uncertainty to carry out cyberattacks on medical facilities. In a situation such as this, it's not far-fetched to see a spike in cyberattacks - especially ransomware. It is, after all, stealing to survive in precarious economic times. This doesn't make it okay, and the fact remains that we can still work, train and fight against cyberattacks anywhere there is an internet connection.
The future is flexible, and this is how we - and the cybersecurity industry as a whole - can make it work now and into the future:
Access-anywhere products are universal and valuable
Before any sort of forced quarantine situation, global teams still had to find a way to collaborate when required. Affordable conference calls made their debut in the same year as the Rolling Stones (1964, that is - and no doubt those early adopters had the same, "are you there"? "no, you go ahead" issues we face today, even though we can see each other on video).
In 2020, digital communications technology is an enormous part of the multi-trillion-dollar ICT industry, with cloud-native, mobile and social platforms dominating and replacing legacy tech. Innovations like Slack, Zoom, and Discord have kept us more connected than ever, especially at work. And communication is just one aspect of the story.
Digital services that are accessible anywhere with an internet connection, on-demand, that fulfill a base need - whether it's a connection, entertainment, productivity - are part of our flexible future. As customers ourselves we seek hyper-personalization, and as a business, we seek to deliver a personal, digital experience that is of the same uncompromising quality no matter where it is accessed from.
In every industry, every day, web-based applications are being created to streamline processes, revolutionize the existing ways we live and work, and solve problems we may not have realized we had. We are nowhere near the peak of cybersecurity tools and training that can be accessed on-demand, in ways that are engaging and useful to the user, with tangible benefit to the business.
Developers appreciate flexibility in their day jobs, and our focus on practical, fun secure coding training, as well as workflow integration, is crafted with these end-users in mind. Tools should be pick-up-and-play so as to be effortless, with valuable training not seen as a chore. With the cybersecurity industry such a vast playing field, the time is ripe to innovate in multiple areas of attack and defense, where security-first methodologies like DevSecOps can still thrive even if everyone is at home. It's about collaboration, and a considered suite of tools for each member of the team to do their job effectively regardless of their physical location.
Training when you need it most (or when you want to switch up your day)
One advantage of flexible work is that your office commute is wiped out on the days you're performing duties from home. For some, that could be around two hours of quality, focused time won back. In an ideal world, all staff would have time in their normal working hours to learn and develop their skills, and this can be navigated much easier in the right remote environment. It's beneficial to your remote superstars, who can feel challenged and supported by further learning.
With the cybersecurity landscape changing by the second, frequent training is a must to keep pace with potential threats that could affect the organization. And comprehensive, measurable training that is customized to the needs of the business is a huge step in the right direction. These were some of the core factors in the design of the Secure Code Warrior platform; we wanted training that could be accessed anywhere, right when you needed it, in the development language and framework of the user's choice.
Developers have a fraught relationship with security, and in a lot of ways, they've not been catered to in a specific enough way to engage properly with security best practices. On-demand, gamified training can help win them over no matter where they are; this is also imperative for ensuring that offshore teams and vendors display adequate security awareness as well, especially when involved in any sort of tinkering with an organization's software.
Keeping your cohort engaged and upskilled with training that will help the organization (not to mention their own career) is a very effective glue when it comes to retaining your best and most loyal talent... an absolute necessity as we face an ongoing cybersecurity skills shortage.
Remote workforces can be empowered, productive and secure
It's a rather old-school position that in order to be productive, you have to be visible in an office from nine until five. And yet, so many companies (even some of the new, exciting ones) still operate with this notion in mind. There is a deep sense of mistrust in their own workforce, as though the mere suggestion of working from home has them picturing their teams gaming in their underwear instead of doing their job.
Either that or they simply haven't taken the plunge into viable remote working.
Naturally, team members do need to prove they can maintain productivity at home by showing output, however, you need to give your cohort the best chance to succeed away from the office. Ask yourself:
- Do they have adequate hardware?
- Have you actually implemented any of those awesome communication tools we talked about before?
- Have you ensured every manager is checking in and being digitally present with their team, with regular stand-ups?
- Have you thought about productivity tools to keep track of projects and help give each member of the team direction, goal-setting and a sense of accomplishment as they complete tasks?
In the current climate, many businesses were faced with a decision to go remote with the operations or shut down entirely. Some businesses that chose to move to a remote workforce may not have been all that prepared, and it's possible there will be some kinks to iron out... but the elephant in the room is that these businesses are likely exposing themselves to some security risks, as well.
Avoiding security blunders in remote working environments
There are several threat vectors to consider, since staff are likely on their own network, and may be using a range of devices to access company accounts, each with their own security needs that may or may not be in effect.
In remote working situations, everyone tends to receive an increase of email, on top of having to sort out various logins, systems, and setups. It's all too easy for socially engineered attacks and malware to slip through the cracks on a bunch of devices out of the in-house security scope. This is not a reason to abandon remote work, it is a golden opportunity to learn by doing and make it as robust as possible for the future. And in security-focused organizations, well, this is a good opportunity to audit processes and "eat your own dog food" when it comes to security best practices for everyone.
Speaking of blunders, it's also important to assess your remote workspace for any potential threats... mostly to your pride, like this poor couple. Moral of the story: make sure everyone is wearing pants if you're on a video call.
Cyberattacks don't stop just because we're in crisis
It is deeply upsetting to see the effects of COVID-19 all over the world, and now more than ever is a time to pull together and consider other people in this global health crisis. The thing is, attackers are actively taking advantage of this widespread fear and pandemonium, perhaps out of desperation to put food on the table. We as a society are incredibly vulnerable at this time.
Healthcare institutions, including a vaccine testing center, have been hammered with ransomware and DDoS attacks, not to mention those trying to take advantage of distracted and overworked finance and government organizations by launching phishing and malware campaigns against them. Another looming threat surrounds the vaccine itself; it has been reported that the Trump administration had offered a German firm large sums of money to develop a COVID-19 vaccine for the United States'exclusive use. The vaccine data is possibly the most valuable information on Earth at present, which would be a very attractive bounty for an attacker.
This is an all-too-timely reminder that while we self-isolate from the very real threat of a physical virus, our digital heartbeat is also under attack. Security awareness is of utmost importance in every organization, and adequate training should be provided at every level - even measures like enforcing password management tool use, and learning how to spot a phishing email are helpful.
And when it comes to developers, they are the first line of defense in securing the code actively produced within the business, and they can be a valuable asset with your AppSec team in avoiding further pain from a cyberattack by closing the back doors created by common vulnerabilities.
Companies that are digitally innovative can weather larger storms
An extremely unfortunate byproduct of mass lockdown has been the economic downturn, forcing many people out of jobs in the hardest-hit sectors. This has all compounded rather suddenly, and it is an experience many of us likely haven't lived through in our lifetimes.
While not every digital native business is an automatic recession-buster (far from it), by their nature, companies that deal in digital are far more agile, adaptable and sustainable when even the most left-field of circumstances come to pass.
Our company can be run efficiently and effectively with a remote workforce, and this is an added layer of protection for our valued team and the clients they support as well. We consider viable secure code training an essential part of modern businesses, and if we're chosen, we can deliver and pivot as needed. Many companies by nature of the products or services they sell do not have the same luxury, but it may be a positive surprise for them to investigate where processes can be digitized, future-proofed and made as on-demand as possible in even the most traditional spaces.
Finding new ways to connect is a positive challenge, not a hindrance
It's a tad dramatic, but I'm reminded of the famous quote from Jurassic Park where Dr. Ian Malcolm says, "life finds a way". It truly does, and that has been very apparent in our company-wide switch to remote work. Teams that didn't interact a whole lot before are discovering common interests in drop-in/drop-out watercooler chats, online office games, and a mutual global office Spotify playlist. There is always a way to forge a meaningful relationship, and my advice is to let teams explore and grow with it organically.
For our clients, it has been awesome to see that their commitment to honing secure coding skills among developers has transcended any remote working hiccups. They have been utilizing our tournaments feature, and while these are usually run in-person with a bit of fanfare, their virtual versions have been driving healthy engagement, friendly competition and an excellent (productive) distraction from day-to-day activities usually completed in a solitary fashion. Much like videogames are now a far more social event than they once were, this type of on-the-job training drives connection not just with the course material, but with each other. And it's available to anyone, anywhere. As a security geek I'm definitely biased, but hey, this is as good a time as any to help foster a love of secure coding among developers. They are all security superheroes in waiting, and it's time to bolster your front lines in the most fun way possible.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not believing remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in TFIR. It has been updated and syndicated here.
They say change is the only constant in life, but 2020 has really brought a test for many all over the world. The global COVID-19 pandemic has forced us to think - at a deep level - about how we connect. Self-isolation, social distancing - these have been some of the adaptations we've made in the physical world, and despite the fact that so many of us spend so much time online, it's quite a different scenario to not have any other choice when it comes to communicating and, if possible, working. It is all at once a tragedy, and an awakening.
Like many tech companies, flexible working is not new to us and working from home is one of the perks of the job. Even as "early" as 2009, I was working remotely from Belgium for companies in Silicon Valley. The technology was way less advanced back then, but it was still doable. Even for us right now, however, it was an adjustment to have every single team member working from home until further notice. I have seen so many companies make this decision as well, including many who were not as prepared as others for managing a remote workforce.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not "believing" in remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times. This current crisis has left many with no choice but to ignite a remote workforce, as the alternative is a complete shutdown of business amidst a chaotic economic climate.
If there is one positive we can take from this tragedy, it's that people will have seen the benefit of a digital workforce, and the myriad of ways in which a team can connect despite not being physically together. And the cybersecurity industry is one that can truly thrive from a work-anywhere, always-on approach.
Attackers didn't go into lockdown - they're abundantly active and taking advantage of this crisis, leveraging worldwide panic and uncertainty to carry out cyberattacks on medical facilities. In a situation such as this, it's not far-fetched to see a spike in cyberattacks - especially ransomware. It is, after all, stealing to survive in precarious economic times. This doesn't make it okay, and the fact remains that we can still work, train and fight against cyberattacks anywhere there is an internet connection.
The future is flexible, and this is how we - and the cybersecurity industry as a whole - can make it work now and into the future:
Access-anywhere products are universal and valuable
Before any sort of forced quarantine situation, global teams still had to find a way to collaborate when required. Affordable conference calls made their debut in the same year as the Rolling Stones (1964, that is - and no doubt those early adopters had the same, "are you there"? "no, you go ahead" issues we face today, even though we can see each other on video).
In 2020, digital communications technology is an enormous part of the multi-trillion-dollar ICT industry, with cloud-native, mobile and social platforms dominating and replacing legacy tech. Innovations like Slack, Zoom, and Discord have kept us more connected than ever, especially at work. And communication is just one aspect of the story.
Digital services that are accessible anywhere with an internet connection, on-demand, that fulfill a base need - whether it's a connection, entertainment, productivity - are part of our flexible future. As customers ourselves we seek hyper-personalization, and as a business, we seek to deliver a personal, digital experience that is of the same uncompromising quality no matter where it is accessed from.
In every industry, every day, web-based applications are being created to streamline processes, revolutionize the existing ways we live and work, and solve problems we may not have realized we had. We are nowhere near the peak of cybersecurity tools and training that can be accessed on-demand, in ways that are engaging and useful to the user, with tangible benefit to the business.
Developers appreciate flexibility in their day jobs, and our focus on practical, fun secure coding training, as well as workflow integration, is crafted with these end-users in mind. Tools should be pick-up-and-play so as to be effortless, with valuable training not seen as a chore. With the cybersecurity industry such a vast playing field, the time is ripe to innovate in multiple areas of attack and defense, where security-first methodologies like DevSecOps can still thrive even if everyone is at home. It's about collaboration, and a considered suite of tools for each member of the team to do their job effectively regardless of their physical location.
Training when you need it most (or when you want to switch up your day)
One advantage of flexible work is that your office commute is wiped out on the days you're performing duties from home. For some, that could be around two hours of quality, focused time won back. In an ideal world, all staff would have time in their normal working hours to learn and develop their skills, and this can be navigated much easier in the right remote environment. It's beneficial to your remote superstars, who can feel challenged and supported by further learning.
With the cybersecurity landscape changing by the second, frequent training is a must to keep pace with potential threats that could affect the organization. And comprehensive, measurable training that is customized to the needs of the business is a huge step in the right direction. These were some of the core factors in the design of the Secure Code Warrior platform; we wanted training that could be accessed anywhere, right when you needed it, in the development language and framework of the user's choice.
Developers have a fraught relationship with security, and in a lot of ways, they've not been catered to in a specific enough way to engage properly with security best practices. On-demand, gamified training can help win them over no matter where they are; this is also imperative for ensuring that offshore teams and vendors display adequate security awareness as well, especially when involved in any sort of tinkering with an organization's software.
Keeping your cohort engaged and upskilled with training that will help the organization (not to mention their own career) is a very effective glue when it comes to retaining your best and most loyal talent... an absolute necessity as we face an ongoing cybersecurity skills shortage.
Remote workforces can be empowered, productive and secure
It's a rather old-school position that in order to be productive, you have to be visible in an office from nine until five. And yet, so many companies (even some of the new, exciting ones) still operate with this notion in mind. There is a deep sense of mistrust in their own workforce, as though the mere suggestion of working from home has them picturing their teams gaming in their underwear instead of doing their job.
Either that or they simply haven't taken the plunge into viable remote working.
Naturally, team members do need to prove they can maintain productivity at home by showing output, however, you need to give your cohort the best chance to succeed away from the office. Ask yourself:
- Do they have adequate hardware?
- Have you actually implemented any of those awesome communication tools we talked about before?
- Have you ensured every manager is checking in and being digitally present with their team, with regular stand-ups?
- Have you thought about productivity tools to keep track of projects and help give each member of the team direction, goal-setting and a sense of accomplishment as they complete tasks?
In the current climate, many businesses were faced with a decision to go remote with the operations or shut down entirely. Some businesses that chose to move to a remote workforce may not have been all that prepared, and it's possible there will be some kinks to iron out... but the elephant in the room is that these businesses are likely exposing themselves to some security risks, as well.
Avoiding security blunders in remote working environments
There are several threat vectors to consider, since staff are likely on their own network, and may be using a range of devices to access company accounts, each with their own security needs that may or may not be in effect.
In remote working situations, everyone tends to receive an increase of email, on top of having to sort out various logins, systems, and setups. It's all too easy for socially engineered attacks and malware to slip through the cracks on a bunch of devices out of the in-house security scope. This is not a reason to abandon remote work, it is a golden opportunity to learn by doing and make it as robust as possible for the future. And in security-focused organizations, well, this is a good opportunity to audit processes and "eat your own dog food" when it comes to security best practices for everyone.
Speaking of blunders, it's also important to assess your remote workspace for any potential threats... mostly to your pride, like this poor couple. Moral of the story: make sure everyone is wearing pants if you're on a video call.
Cyberattacks don't stop just because we're in crisis
It is deeply upsetting to see the effects of COVID-19 all over the world, and now more than ever is a time to pull together and consider other people in this global health crisis. The thing is, attackers are actively taking advantage of this widespread fear and pandemonium, perhaps out of desperation to put food on the table. We as a society are incredibly vulnerable at this time.
Healthcare institutions, including a vaccine testing center, have been hammered with ransomware and DDoS attacks, not to mention those trying to take advantage of distracted and overworked finance and government organizations by launching phishing and malware campaigns against them. Another looming threat surrounds the vaccine itself; it has been reported that the Trump administration had offered a German firm large sums of money to develop a COVID-19 vaccine for the United States'exclusive use. The vaccine data is possibly the most valuable information on Earth at present, which would be a very attractive bounty for an attacker.
This is an all-too-timely reminder that while we self-isolate from the very real threat of a physical virus, our digital heartbeat is also under attack. Security awareness is of utmost importance in every organization, and adequate training should be provided at every level - even measures like enforcing password management tool use, and learning how to spot a phishing email are helpful.
And when it comes to developers, they are the first line of defense in securing the code actively produced within the business, and they can be a valuable asset with your AppSec team in avoiding further pain from a cyberattack by closing the back doors created by common vulnerabilities.
Companies that are digitally innovative can weather larger storms
An extremely unfortunate byproduct of mass lockdown has been the economic downturn, forcing many people out of jobs in the hardest-hit sectors. This has all compounded rather suddenly, and it is an experience many of us likely haven't lived through in our lifetimes.
While not every digital native business is an automatic recession-buster (far from it), by their nature, companies that deal in digital are far more agile, adaptable and sustainable when even the most left-field of circumstances come to pass.
Our company can be run efficiently and effectively with a remote workforce, and this is an added layer of protection for our valued team and the clients they support as well. We consider viable secure code training an essential part of modern businesses, and if we're chosen, we can deliver and pivot as needed. Many companies by nature of the products or services they sell do not have the same luxury, but it may be a positive surprise for them to investigate where processes can be digitized, future-proofed and made as on-demand as possible in even the most traditional spaces.
Finding new ways to connect is a positive challenge, not a hindrance
It's a tad dramatic, but I'm reminded of the famous quote from Jurassic Park where Dr. Ian Malcolm says, "life finds a way". It truly does, and that has been very apparent in our company-wide switch to remote work. Teams that didn't interact a whole lot before are discovering common interests in drop-in/drop-out watercooler chats, online office games, and a mutual global office Spotify playlist. There is always a way to forge a meaningful relationship, and my advice is to let teams explore and grow with it organically.
For our clients, it has been awesome to see that their commitment to honing secure coding skills among developers has transcended any remote working hiccups. They have been utilizing our tournaments feature, and while these are usually run in-person with a bit of fanfare, their virtual versions have been driving healthy engagement, friendly competition and an excellent (productive) distraction from day-to-day activities usually completed in a solitary fashion. Much like videogames are now a far more social event than they once were, this type of on-the-job training drives connection not just with the course material, but with each other. And it's available to anyone, anywhere. As a security geek I'm definitely biased, but hey, this is as good a time as any to help foster a love of secure coding among developers. They are all security superheroes in waiting, and it's time to bolster your front lines in the most fun way possible.
A version of this article appeared in TFIR. It has been updated and syndicated here.
They say change is the only constant in life, but 2020 has really brought a test for many all over the world. The global COVID-19 pandemic has forced us to think - at a deep level - about how we connect. Self-isolation, social distancing - these have been some of the adaptations we've made in the physical world, and despite the fact that so many of us spend so much time online, it's quite a different scenario to not have any other choice when it comes to communicating and, if possible, working. It is all at once a tragedy, and an awakening.
Like many tech companies, flexible working is not new to us and working from home is one of the perks of the job. Even as "early" as 2009, I was working remotely from Belgium for companies in Silicon Valley. The technology was way less advanced back then, but it was still doable. Even for us right now, however, it was an adjustment to have every single team member working from home until further notice. I have seen so many companies make this decision as well, including many who were not as prepared as others for managing a remote workforce.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not "believing" in remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times. This current crisis has left many with no choice but to ignite a remote workforce, as the alternative is a complete shutdown of business amidst a chaotic economic climate.
If there is one positive we can take from this tragedy, it's that people will have seen the benefit of a digital workforce, and the myriad of ways in which a team can connect despite not being physically together. And the cybersecurity industry is one that can truly thrive from a work-anywhere, always-on approach.
Attackers didn't go into lockdown - they're abundantly active and taking advantage of this crisis, leveraging worldwide panic and uncertainty to carry out cyberattacks on medical facilities. In a situation such as this, it's not far-fetched to see a spike in cyberattacks - especially ransomware. It is, after all, stealing to survive in precarious economic times. This doesn't make it okay, and the fact remains that we can still work, train and fight against cyberattacks anywhere there is an internet connection.
The future is flexible, and this is how we - and the cybersecurity industry as a whole - can make it work now and into the future:
Access-anywhere products are universal and valuable
Before any sort of forced quarantine situation, global teams still had to find a way to collaborate when required. Affordable conference calls made their debut in the same year as the Rolling Stones (1964, that is - and no doubt those early adopters had the same, "are you there"? "no, you go ahead" issues we face today, even though we can see each other on video).
In 2020, digital communications technology is an enormous part of the multi-trillion-dollar ICT industry, with cloud-native, mobile and social platforms dominating and replacing legacy tech. Innovations like Slack, Zoom, and Discord have kept us more connected than ever, especially at work. And communication is just one aspect of the story.
Digital services that are accessible anywhere with an internet connection, on-demand, that fulfill a base need - whether it's a connection, entertainment, productivity - are part of our flexible future. As customers ourselves we seek hyper-personalization, and as a business, we seek to deliver a personal, digital experience that is of the same uncompromising quality no matter where it is accessed from.
In every industry, every day, web-based applications are being created to streamline processes, revolutionize the existing ways we live and work, and solve problems we may not have realized we had. We are nowhere near the peak of cybersecurity tools and training that can be accessed on-demand, in ways that are engaging and useful to the user, with tangible benefit to the business.
Developers appreciate flexibility in their day jobs, and our focus on practical, fun secure coding training, as well as workflow integration, is crafted with these end-users in mind. Tools should be pick-up-and-play so as to be effortless, with valuable training not seen as a chore. With the cybersecurity industry such a vast playing field, the time is ripe to innovate in multiple areas of attack and defense, where security-first methodologies like DevSecOps can still thrive even if everyone is at home. It's about collaboration, and a considered suite of tools for each member of the team to do their job effectively regardless of their physical location.
Training when you need it most (or when you want to switch up your day)
One advantage of flexible work is that your office commute is wiped out on the days you're performing duties from home. For some, that could be around two hours of quality, focused time won back. In an ideal world, all staff would have time in their normal working hours to learn and develop their skills, and this can be navigated much easier in the right remote environment. It's beneficial to your remote superstars, who can feel challenged and supported by further learning.
With the cybersecurity landscape changing by the second, frequent training is a must to keep pace with potential threats that could affect the organization. And comprehensive, measurable training that is customized to the needs of the business is a huge step in the right direction. These were some of the core factors in the design of the Secure Code Warrior platform; we wanted training that could be accessed anywhere, right when you needed it, in the development language and framework of the user's choice.
Developers have a fraught relationship with security, and in a lot of ways, they've not been catered to in a specific enough way to engage properly with security best practices. On-demand, gamified training can help win them over no matter where they are; this is also imperative for ensuring that offshore teams and vendors display adequate security awareness as well, especially when involved in any sort of tinkering with an organization's software.
Keeping your cohort engaged and upskilled with training that will help the organization (not to mention their own career) is a very effective glue when it comes to retaining your best and most loyal talent... an absolute necessity as we face an ongoing cybersecurity skills shortage.
Remote workforces can be empowered, productive and secure
It's a rather old-school position that in order to be productive, you have to be visible in an office from nine until five. And yet, so many companies (even some of the new, exciting ones) still operate with this notion in mind. There is a deep sense of mistrust in their own workforce, as though the mere suggestion of working from home has them picturing their teams gaming in their underwear instead of doing their job.
Either that or they simply haven't taken the plunge into viable remote working.
Naturally, team members do need to prove they can maintain productivity at home by showing output, however, you need to give your cohort the best chance to succeed away from the office. Ask yourself:
- Do they have adequate hardware?
- Have you actually implemented any of those awesome communication tools we talked about before?
- Have you ensured every manager is checking in and being digitally present with their team, with regular stand-ups?
- Have you thought about productivity tools to keep track of projects and help give each member of the team direction, goal-setting and a sense of accomplishment as they complete tasks?
In the current climate, many businesses were faced with a decision to go remote with the operations or shut down entirely. Some businesses that chose to move to a remote workforce may not have been all that prepared, and it's possible there will be some kinks to iron out... but the elephant in the room is that these businesses are likely exposing themselves to some security risks, as well.
Avoiding security blunders in remote working environments
There are several threat vectors to consider, since staff are likely on their own network, and may be using a range of devices to access company accounts, each with their own security needs that may or may not be in effect.
In remote working situations, everyone tends to receive an increase of email, on top of having to sort out various logins, systems, and setups. It's all too easy for socially engineered attacks and malware to slip through the cracks on a bunch of devices out of the in-house security scope. This is not a reason to abandon remote work, it is a golden opportunity to learn by doing and make it as robust as possible for the future. And in security-focused organizations, well, this is a good opportunity to audit processes and "eat your own dog food" when it comes to security best practices for everyone.
Speaking of blunders, it's also important to assess your remote workspace for any potential threats... mostly to your pride, like this poor couple. Moral of the story: make sure everyone is wearing pants if you're on a video call.
Cyberattacks don't stop just because we're in crisis
It is deeply upsetting to see the effects of COVID-19 all over the world, and now more than ever is a time to pull together and consider other people in this global health crisis. The thing is, attackers are actively taking advantage of this widespread fear and pandemonium, perhaps out of desperation to put food on the table. We as a society are incredibly vulnerable at this time.
Healthcare institutions, including a vaccine testing center, have been hammered with ransomware and DDoS attacks, not to mention those trying to take advantage of distracted and overworked finance and government organizations by launching phishing and malware campaigns against them. Another looming threat surrounds the vaccine itself; it has been reported that the Trump administration had offered a German firm large sums of money to develop a COVID-19 vaccine for the United States'exclusive use. The vaccine data is possibly the most valuable information on Earth at present, which would be a very attractive bounty for an attacker.
This is an all-too-timely reminder that while we self-isolate from the very real threat of a physical virus, our digital heartbeat is also under attack. Security awareness is of utmost importance in every organization, and adequate training should be provided at every level - even measures like enforcing password management tool use, and learning how to spot a phishing email are helpful.
And when it comes to developers, they are the first line of defense in securing the code actively produced within the business, and they can be a valuable asset with your AppSec team in avoiding further pain from a cyberattack by closing the back doors created by common vulnerabilities.
Companies that are digitally innovative can weather larger storms
An extremely unfortunate byproduct of mass lockdown has been the economic downturn, forcing many people out of jobs in the hardest-hit sectors. This has all compounded rather suddenly, and it is an experience many of us likely haven't lived through in our lifetimes.
While not every digital native business is an automatic recession-buster (far from it), by their nature, companies that deal in digital are far more agile, adaptable and sustainable when even the most left-field of circumstances come to pass.
Our company can be run efficiently and effectively with a remote workforce, and this is an added layer of protection for our valued team and the clients they support as well. We consider viable secure code training an essential part of modern businesses, and if we're chosen, we can deliver and pivot as needed. Many companies by nature of the products or services they sell do not have the same luxury, but it may be a positive surprise for them to investigate where processes can be digitized, future-proofed and made as on-demand as possible in even the most traditional spaces.
Finding new ways to connect is a positive challenge, not a hindrance
It's a tad dramatic, but I'm reminded of the famous quote from Jurassic Park where Dr. Ian Malcolm says, "life finds a way". It truly does, and that has been very apparent in our company-wide switch to remote work. Teams that didn't interact a whole lot before are discovering common interests in drop-in/drop-out watercooler chats, online office games, and a mutual global office Spotify playlist. There is always a way to forge a meaningful relationship, and my advice is to let teams explore and grow with it organically.
For our clients, it has been awesome to see that their commitment to honing secure coding skills among developers has transcended any remote working hiccups. They have been utilizing our tournaments feature, and while these are usually run in-person with a bit of fanfare, their virtual versions have been driving healthy engagement, friendly competition and an excellent (productive) distraction from day-to-day activities usually completed in a solitary fashion. Much like videogames are now a far more social event than they once were, this type of on-the-job training drives connection not just with the course material, but with each other. And it's available to anyone, anywhere. As a security geek I'm definitely biased, but hey, this is as good a time as any to help foster a love of secure coding among developers. They are all security superheroes in waiting, and it's time to bolster your front lines in the most fun way possible.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in TFIR. It has been updated and syndicated here.
They say change is the only constant in life, but 2020 has really brought a test for many all over the world. The global COVID-19 pandemic has forced us to think - at a deep level - about how we connect. Self-isolation, social distancing - these have been some of the adaptations we've made in the physical world, and despite the fact that so many of us spend so much time online, it's quite a different scenario to not have any other choice when it comes to communicating and, if possible, working. It is all at once a tragedy, and an awakening.
Like many tech companies, flexible working is not new to us and working from home is one of the perks of the job. Even as "early" as 2009, I was working remotely from Belgium for companies in Silicon Valley. The technology was way less advanced back then, but it was still doable. Even for us right now, however, it was an adjustment to have every single team member working from home until further notice. I have seen so many companies make this decision as well, including many who were not as prepared as others for managing a remote workforce.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not "believing" in remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times. This current crisis has left many with no choice but to ignite a remote workforce, as the alternative is a complete shutdown of business amidst a chaotic economic climate.
If there is one positive we can take from this tragedy, it's that people will have seen the benefit of a digital workforce, and the myriad of ways in which a team can connect despite not being physically together. And the cybersecurity industry is one that can truly thrive from a work-anywhere, always-on approach.
Attackers didn't go into lockdown - they're abundantly active and taking advantage of this crisis, leveraging worldwide panic and uncertainty to carry out cyberattacks on medical facilities. In a situation such as this, it's not far-fetched to see a spike in cyberattacks - especially ransomware. It is, after all, stealing to survive in precarious economic times. This doesn't make it okay, and the fact remains that we can still work, train and fight against cyberattacks anywhere there is an internet connection.
The future is flexible, and this is how we - and the cybersecurity industry as a whole - can make it work now and into the future:
Access-anywhere products are universal and valuable
Before any sort of forced quarantine situation, global teams still had to find a way to collaborate when required. Affordable conference calls made their debut in the same year as the Rolling Stones (1964, that is - and no doubt those early adopters had the same, "are you there"? "no, you go ahead" issues we face today, even though we can see each other on video).
In 2020, digital communications technology is an enormous part of the multi-trillion-dollar ICT industry, with cloud-native, mobile and social platforms dominating and replacing legacy tech. Innovations like Slack, Zoom, and Discord have kept us more connected than ever, especially at work. And communication is just one aspect of the story.
Digital services that are accessible anywhere with an internet connection, on-demand, that fulfill a base need - whether it's a connection, entertainment, productivity - are part of our flexible future. As customers ourselves we seek hyper-personalization, and as a business, we seek to deliver a personal, digital experience that is of the same uncompromising quality no matter where it is accessed from.
In every industry, every day, web-based applications are being created to streamline processes, revolutionize the existing ways we live and work, and solve problems we may not have realized we had. We are nowhere near the peak of cybersecurity tools and training that can be accessed on-demand, in ways that are engaging and useful to the user, with tangible benefit to the business.
Developers appreciate flexibility in their day jobs, and our focus on practical, fun secure coding training, as well as workflow integration, is crafted with these end-users in mind. Tools should be pick-up-and-play so as to be effortless, with valuable training not seen as a chore. With the cybersecurity industry such a vast playing field, the time is ripe to innovate in multiple areas of attack and defense, where security-first methodologies like DevSecOps can still thrive even if everyone is at home. It's about collaboration, and a considered suite of tools for each member of the team to do their job effectively regardless of their physical location.
Training when you need it most (or when you want to switch up your day)
One advantage of flexible work is that your office commute is wiped out on the days you're performing duties from home. For some, that could be around two hours of quality, focused time won back. In an ideal world, all staff would have time in their normal working hours to learn and develop their skills, and this can be navigated much easier in the right remote environment. It's beneficial to your remote superstars, who can feel challenged and supported by further learning.
With the cybersecurity landscape changing by the second, frequent training is a must to keep pace with potential threats that could affect the organization. And comprehensive, measurable training that is customized to the needs of the business is a huge step in the right direction. These were some of the core factors in the design of the Secure Code Warrior platform; we wanted training that could be accessed anywhere, right when you needed it, in the development language and framework of the user's choice.
Developers have a fraught relationship with security, and in a lot of ways, they've not been catered to in a specific enough way to engage properly with security best practices. On-demand, gamified training can help win them over no matter where they are; this is also imperative for ensuring that offshore teams and vendors display adequate security awareness as well, especially when involved in any sort of tinkering with an organization's software.
Keeping your cohort engaged and upskilled with training that will help the organization (not to mention their own career) is a very effective glue when it comes to retaining your best and most loyal talent... an absolute necessity as we face an ongoing cybersecurity skills shortage.
Remote workforces can be empowered, productive and secure
It's a rather old-school position that in order to be productive, you have to be visible in an office from nine until five. And yet, so many companies (even some of the new, exciting ones) still operate with this notion in mind. There is a deep sense of mistrust in their own workforce, as though the mere suggestion of working from home has them picturing their teams gaming in their underwear instead of doing their job.
Either that or they simply haven't taken the plunge into viable remote working.
Naturally, team members do need to prove they can maintain productivity at home by showing output, however, you need to give your cohort the best chance to succeed away from the office. Ask yourself:
- Do they have adequate hardware?
- Have you actually implemented any of those awesome communication tools we talked about before?
- Have you ensured every manager is checking in and being digitally present with their team, with regular stand-ups?
- Have you thought about productivity tools to keep track of projects and help give each member of the team direction, goal-setting and a sense of accomplishment as they complete tasks?
In the current climate, many businesses were faced with a decision to go remote with the operations or shut down entirely. Some businesses that chose to move to a remote workforce may not have been all that prepared, and it's possible there will be some kinks to iron out... but the elephant in the room is that these businesses are likely exposing themselves to some security risks, as well.
Avoiding security blunders in remote working environments
There are several threat vectors to consider, since staff are likely on their own network, and may be using a range of devices to access company accounts, each with their own security needs that may or may not be in effect.
In remote working situations, everyone tends to receive an increase of email, on top of having to sort out various logins, systems, and setups. It's all too easy for socially engineered attacks and malware to slip through the cracks on a bunch of devices out of the in-house security scope. This is not a reason to abandon remote work, it is a golden opportunity to learn by doing and make it as robust as possible for the future. And in security-focused organizations, well, this is a good opportunity to audit processes and "eat your own dog food" when it comes to security best practices for everyone.
Speaking of blunders, it's also important to assess your remote workspace for any potential threats... mostly to your pride, like this poor couple. Moral of the story: make sure everyone is wearing pants if you're on a video call.
Cyberattacks don't stop just because we're in crisis
It is deeply upsetting to see the effects of COVID-19 all over the world, and now more than ever is a time to pull together and consider other people in this global health crisis. The thing is, attackers are actively taking advantage of this widespread fear and pandemonium, perhaps out of desperation to put food on the table. We as a society are incredibly vulnerable at this time.
Healthcare institutions, including a vaccine testing center, have been hammered with ransomware and DDoS attacks, not to mention those trying to take advantage of distracted and overworked finance and government organizations by launching phishing and malware campaigns against them. Another looming threat surrounds the vaccine itself; it has been reported that the Trump administration had offered a German firm large sums of money to develop a COVID-19 vaccine for the United States'exclusive use. The vaccine data is possibly the most valuable information on Earth at present, which would be a very attractive bounty for an attacker.
This is an all-too-timely reminder that while we self-isolate from the very real threat of a physical virus, our digital heartbeat is also under attack. Security awareness is of utmost importance in every organization, and adequate training should be provided at every level - even measures like enforcing password management tool use, and learning how to spot a phishing email are helpful.
And when it comes to developers, they are the first line of defense in securing the code actively produced within the business, and they can be a valuable asset with your AppSec team in avoiding further pain from a cyberattack by closing the back doors created by common vulnerabilities.
Companies that are digitally innovative can weather larger storms
An extremely unfortunate byproduct of mass lockdown has been the economic downturn, forcing many people out of jobs in the hardest-hit sectors. This has all compounded rather suddenly, and it is an experience many of us likely haven't lived through in our lifetimes.
While not every digital native business is an automatic recession-buster (far from it), by their nature, companies that deal in digital are far more agile, adaptable and sustainable when even the most left-field of circumstances come to pass.
Our company can be run efficiently and effectively with a remote workforce, and this is an added layer of protection for our valued team and the clients they support as well. We consider viable secure code training an essential part of modern businesses, and if we're chosen, we can deliver and pivot as needed. Many companies by nature of the products or services they sell do not have the same luxury, but it may be a positive surprise for them to investigate where processes can be digitized, future-proofed and made as on-demand as possible in even the most traditional spaces.
Finding new ways to connect is a positive challenge, not a hindrance
It's a tad dramatic, but I'm reminded of the famous quote from Jurassic Park where Dr. Ian Malcolm says, "life finds a way". It truly does, and that has been very apparent in our company-wide switch to remote work. Teams that didn't interact a whole lot before are discovering common interests in drop-in/drop-out watercooler chats, online office games, and a mutual global office Spotify playlist. There is always a way to forge a meaningful relationship, and my advice is to let teams explore and grow with it organically.
For our clients, it has been awesome to see that their commitment to honing secure coding skills among developers has transcended any remote working hiccups. They have been utilizing our tournaments feature, and while these are usually run in-person with a bit of fanfare, their virtual versions have been driving healthy engagement, friendly competition and an excellent (productive) distraction from day-to-day activities usually completed in a solitary fashion. Much like videogames are now a far more social event than they once were, this type of on-the-job training drives connection not just with the course material, but with each other. And it's available to anyone, anywhere. As a security geek I'm definitely biased, but hey, this is as good a time as any to help foster a love of secure coding among developers. They are all security superheroes in waiting, and it's time to bolster your front lines in the most fun way possible.
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.