The million dollar question every developer should be asking their prospective employers
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.