A version of this article appeared on Security Boulevard. It has been updated and syndicated here.

Earlier this year, the PCI Security Standards Council revealed version 4.0 of their Payment Card Industry Data Security Standard (PCI DSS). While organizations won’t need to be fully compliant with 4.0 until March 2025, this update is their most transformative to date, and will require most businesses to assess (and likely upgrade) complex security processes, and elements of their tech stack. This is in addition to implementing role-based security awareness training and regular secure coding education for developers.

This represents a golden opportunity for companies in the BFSI space to seriously uplift their security programs, ushering in a new era of people-driven cyber resilience. 

What are the biggest challenges in getting PCI DSS 4.0-ready?

Just as an organization’s security program is all-encompassing, with intricacies that are unique to its business needs and available resources, the new PCI DSS standards cover a lot of ground. However, they reveal a pointed shift towards flexibility in approaches to meeting security requirements, and in an industry where tools, threats, strategy, and compliance measures can change in an instant, this is significant.

PCI DSS 4.0 embraces the concept that there are many ways to achieve the same goal of airtight security best practices. This is true, but it seems best suited to organizations with advanced security maturity and leaves a lot of room for error, especially for those who have not been realistic in their assessment of their true internal security maturity. Ultimately, companies must be prepared to engage in security as a continuous, evolving process, not a once-off “set and forget” exercise. A strong security culture is a must, with an organization-wide commitment to security awareness. 

And those on the code-level tools - the development cohort - they must be enabled to deliver compliant, secure software in any business environment handling digital assets and transactions. 

Are your developers prepared to deliver compliant software?

Developers sit as an integral part of reaching a state of software security excellence, and this is especially relevant to more than just token PCI DSS compliance. It is crucial that developers understand the broader picture of PCI DSS 4.0 in terms of what they can control, and integrate as part of their default approach to a software build. 

Three key areas represent the most relevant changes for the development team, and they can be broken down as follows:

• Authentication: A viable plan for access control has always been a key part of PCI compliance, however, version 4.0 kicks this up a notch in a way that will require careful implementation both internally and externally. Multi-Factor Authentication (MFA) will become standard, as will bolstered rules around password complexity and timeouts.
  
  With authentication and access control security issues now the most common likely to be faced by your average developer, it is imperative that precision training is rolled out to help them identify and fix these problems in actual code.
  
  
• Encryption & Key Management: We operate in a world where we can access some of our most sensitive information via multiple access points, such as our online banking. With this high-value data at risk, encryption and strong cryptography practices are a must. Developers have to ensure they carry up-to-date knowledge on where information is transmitted, how users can access it, and even in the event of it ending up in the wrong hands, ensuring it is unreadable by threat actors.
  
  
• Malicious Software: In the previous guidelines, security controls around software protection from malicious code were referred to as “antivirus software”, but this oversimplifies what should be a multi-layered approach shielding against far more than viruses alone. Anti-malware solutions must be applied wherever necessary, and continuous logging and monitoring are mandatory.
  
  It is also vital that developers have learning pathways that cover identifying vulnerable components, especially with most codebases relying at least in part on third-party code.

What constitutes “enough” training for developers?  

Similar to previous recommendations, PCI DSS 4.0 proposes that developers are trained “at least” annually. However, if the implication is that once a year is enough of a touchpoint for secure software creation, it is nowhere near adequate and is unlikely to result in safer, compliant software. 

Developer education should start with a foundational education in the OWASP Top 10, as well as any other vulnerabilities that are language-relevant and business-critical. This should be part of an ongoing program, with the view to continue building upon those skills and embedding security not just into software development from the start, but also into their mindset and approach to their role. In addition, roles and responsibilities must be abundantly clear to the development cohort and their managers. Security should be a shared responsibility, but it’s only fair to document expectations and ensure they can be met properly.

With the lead time available to prepare for PCI DSS 4.0 compliance, it is possible to make some significant headway into organization-wide improvements to security culture, and that is fertile ground for growing the most security-aware development cohort you’ve ever had.

‍

Time is money - so why are we wasting it? 

Engineering managers - it’s time to get real. How many hours do your developers spend coding? No, we’re not looking to get them to admit that they’re hanging out in their pajamas all day eating chips and watching Netflix. But instead ask yourself, how many hours a day do you feel your teams are spending on meaningful work?

Now, look at the time your developers spend coding per week. How much of that time is spent reworking legacy code, finding and fixing bugs, or addressing technical debt? Probably a lot.

We know the feeling. Developers often feel frustrated by their inability to make progress when they’re faced with insurmountable challenges and gaps in the software development lifecycle today. 

• On average, a software development team reworks about 26% of its code prior to release. 
• A developer spends an average of 13.5 hours a week on just technical debt. That’s over 700 hours a year spent on fixing past mistakes. 
• Developers spend four hours a week working on “bad code.” Over a year, this amounts to $85 billion lost in opportunity cost.
• 41% of developers state that functionality and security have equal importance in their organization.
• 63% of developers find writing secure code free from vulnerabilities to be very difficult. 

Source: Stripe Report, the Developer Coefficient; The State of Developer-Driven Security Survey 2022 

Think about the last time you had a code review where the code was identified as insecure by your AppSec team. Factor in the grinding halt your team had to come to when they had to fix those vulnerabilities. More likely than not, they had to go down a rabbit hole to find a workable solution to the issue, and then take extra time to figure out where the heck they left off before they had to address the problem. 

Source: Stripe Report, The Developer Coefficient 

This endless cycle of stoppage and rework is not just disruptive, it’s productivity-killing and demoralizing.

There is a better way to code securely - and save time in the process 

We all wish we had more hours in the day to get things done. But sometimes we just have to figure out a way to work smarter, not harder, with the hours we do have. 

Instead of wasting time scratching your head over solutions, spending hours and hours combing through code that might not even be yours for defects and vulnerabilities - wouldn’t it just be simpler to write the code better from the beginning? 

Tech is at an impasse today, with engineering managers looking to cut costs in every possible way. Software licenses, discretionary expenses, and even salaries are all on the chopping block. But what if it didn’t need to come to that? Inefficiencies in the software development process are harder to quantify but ultimately more costly and challenging to address.

With developer-driven security, developers can create greater efficiency and productivity within the SDLC by owning security at every step of the process. 

Decreasing the time spent on reworking vulnerable code is more than just a cost-saving measure: it’s a chance to reinvest in your department. The time that was wasted can be used for creating innovative new features or meaningful improvements to your application. Developers who were previously frustrated by their inability to make progress will be motivated by the opportunity to add value.

Developers feel the biggest negative impacts to their workloads are caused by work overload, changing priorities that result in discarded code or time wasted, and not being given sufficient time to fix poor-quality code. Coupled with a lack of knowledge and a patchwork solution to addressing vulnerabilities - you’re looking at even more time wasted and ballooning costs. 

Source: The State of Developer-Driven Security Survey 2022 

Tech moves at lightning speed, so it’s important to give your developers the tools to keep up and not get left behind. Equipping developers with the knowledge to code securely from the beginning and fix vulnerabilities quickly will give your team an advantage when tackling the headaches of reworking code and addressing technical debt in the long term. 

Businesses need to better mobilize their existing developer talent if they want to move faster, stay agile, and tap into new and emerging trends. Motivating your developers to be more focused on security shouldn’t just be purely about cost and output. Upskilling and integrating security into every step of the SDLC is not only a win for the team, but a professional win for individual developers as well. Developers who have the skills to code securely will be highly prized in the years to come because coding securely means fewer problems for them to address down the road.

Starting left doesn’t just mean moving quickly, it means enabling developers to share the responsibility of security without sacrificing speed. When it’s done right, security-skilled developers improve productivity by reducing vulnerabilities that create rework, maintain software release velocity, and ensure quality code without hindering innovation.

Smarter, faster, secure coding

Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed. 

Here at Secure Code Warrior, we’re constantly innovating to help equip developers and organizations with the right skills to tackle today’s ever-changing security challenges. We do this through highly engaging, flexible, and easy-to-manage secure code enablement. 

Everyone wants a good return on their investment when it comes to investing in their tech stack or additional training programs. When it comes to security though, you need to be playing a long game. Investing in developer-driven security will not only mitigate the risk of expensive breaches, the loss of productivity, and accumulated tech debt but also create a proactive and cost-effective strategy to stay ahead of today’s threat landscape. 

This past quarter, Secure Core Warriors has implemented new ways to learn with Coding Labs, which is now available to all Secure Code Warrior customers. We are thrilled to announce enhancements to participation management and course versioning, and we created new course activities like Guidelines! 

Let’s dive in to learn more!

Expanding the SCW Platform’s breadth and depth 

Secure Code Warrior’s continued expansion into new content helps to keep our modules relevant, timely, and tailored to what you need to know in today’s cyber-security landscape. With industry-leading breadth and depth of over 55 languages, it’s easy to build and scale a program to train developers in a large number of languages and frameworks. 

Coding Guidelines available in Courses 

The addition of guidelines offers developers contextual and self-paced learning that primarily covers security mitigation. Guidelines are more in-depth than videos and focus on a specific language or framework. Other offensive-based activities such as challenges, Missions, and Walkthroughs already require developers to have an understanding of the vulnerability. We created Guidelines to complement these activities from a defensive viewpoint.  

Developers can read through Guidelines in Courses, and admins can use them in Course templates. Guidelines cover vulnerabilities listed in OWASP Top 10 2021 and contain code snippets in C#, Java, JavaScript, Python, Pseudocode, and PHP. 

New Challenge content

Secure Code Warrior regularly updates and creates new challenges that are relevant, timely, and tailored to your organization’s needs. We are excited to announce expanded challenges available in: 

• Dart: Flutter - a mobile language for building smooth cross-platform apps on Android and iOS
• Terraform: GCP - an infrastructure as code development language for Google Cloud Provide. 

Developers can analyze the code, find the vulnerability, and apply critical thinking to pick the best security implementation to prevent listed vulnerabilities.

Coming soon: new front-end developer content 

Front-end developers need secure code enablement too! That’s why we will be releasing additional front-end vulnerabilities in Missions and Walkthroughs. Front-end developers will also be able to access front-end specific Missions in Courses. 

These updates strive for comprehensive coverage of frontend-specific vulnerabilities- from common ones like DOM-based XSS, to less frequently encountered vulnerabilities such as CSS Injection. 

Step-by-step walkthroughs will provide front-end developers with trusted guidance on how vulnerabilities are being exploited. Advanced developers will also be able to test their skills in front-end Missions in Tournaments. 

Simplifying the admin and developer experience

Configuring a scalable and engaging secure code education program is now easier than ever with key usability improvements to the platform. 

‍

Course versioning, archiving, and participation management 

Now, keep up with the ever-changing needs of an organization’s program with new ways to edit existing programs. Course versioning allows admins to edit their existing Courses without having to create a brand-new Course. Admins can also delete test Courses or non-relevant Courses that do not have any developers enrolled, helping them to unclutter their archives. 

In addition, the ability to apply additional filters on the Course Management page will make it much simpler for admins to filter down to the course they want to work on. Courses can be filtered by a number of attributes such as Course status, end date, and teams enrolled. For instance, admins can easily locate all Courses with a time limit, with an end-of-Course assessment attached, or if the Course is in draft or preview.

In addition to versioning and filtering for Courses, admins are now able to re-invite Course participants in bulk, as well as remove them from a Course as needed.  This gives admins a one-click solution to reinvite developers in an “invited” state, saving valuable time and energy to remind them to get back onto the platform and start learning!

‍

That’s a wrap on this quarter’s new capabilities! Follow Secure Code Warrior on Twitter to get updates about the latest releases and improvements.

Interested in trying out Secure Code Warrior but don’t have an account yet? Sign up for a free trial account today to get started.

Let’s talk about debt 

Most everyone knows now that cybercrime has become a major issue facing our global economy. As of 2022, the average cost of a data breach in the United States amounted to $9.44 million, up from $9.05 million in the previous year. It’s important not to ignore the cost of insecure code and its accumulated technical debt. According to the 2022 Consortium for Information and Software Quality: The Cost of Poor Software Quality report, it is estimated that the cost of poor software quality in the US has grown to at $2.41 trillion and the accumulated software technical debt has grown to $1.52 trillion. 

The burgeoning costs of addressing insecure code and its technical debt have become the biggest obstacle to making any changes to existing code bases - thus leaving them vulnerable to exploitation and external threats. The state of software security is facing an existential crisis - we know we have to improve our security posture as well as address accumulated technical debt, but the barriers are huge: 

• There are an estimated 300,000 unfilled software developer and IT related jobs in the US with a projected growth rate of 15% 
• It’s predicted that by 2025, 40% of IT budgets will be spent simply maintaining tech debt
• 1/3 of developers’ weekly hours on average are spent addressing tech debt

Quick fixes are risky - and cost more long term 

What is technical debt and why is it so important? Tech debt accumulates when decision makers go for a short-term solution to a software development problem—instead of a more exhaustive, long-term solution. This comes with a substantial hidden cost that organizations must pay later. Much like a maxed-out credit card, technical debt has two main components:

• Principal - refers to the total cost of refactoring or fixing software so that it reaches a desired level of maintainability and security.
• Interest - the extra effort that developers spend making those changes to address the technical debt alone, and not new functionalities. Every minute spent on not-quite-right code adds interest to the debt.

One can eventually reach a state of “technical bankruptcy” when the cost of new features, bug fixes, and maintenance exceeds the project budget - sinking the value of the software application significantly. 

However, some debt accumulation, just like in life, is normal and in most cases, somewhat expected. 

Ideally, all software developers should reduce bugs as much as possible before shipping code. However, they are faced with a tough tradeoff: To be competitive, an organization might want to deliver features or products to customers quickly at a minimum cost. As a result, the quality of the application suffers because developers' KPIs are based on the speed of the delivery, and the initial cost to build it. What’s missing from the picture is the accumulated deficiencies and potential vulnerabilities baked into the code. This leaves it ripe for bugs or security vulnerabilities down the line or worse, exploitation by bad actors. 

But there lies the conundrum: Is there a different way to ship products quickly without accumulating a massive amount of technical debt? 

The cost of finding and fixing deficiencies and vulnerabilities is the largest single expense in the software development lifecycle. The earlier in the development lifecycle issues are found, the more cost-effective the overall delivery will be. 

Technical debt can evolve into security debt

Many developers try to circumvent this tradeoff by using open source code to help them move quickly and ideally, use an already vetted solution. However, relying heavily on open source software often presents its own risks: 

• 82% of the open source components were found to be out of date (i.e. unpatched or not well supported) 
• 75% of codebases contained vulnerabilities (up from 60% in 2018), and 49% contained high-risk vulnerabilities 
• An average of 82 vulnerabilities were identified per codebase 

This proliferates a subset of technical debt - security debt. Security debt is the accumulation of vulnerabilities in a software application that makes it harder or even impossible to protect data and systems from an attack.

One of the most notorious examples is Equifax, the credit reporting giant breached in 2017 because it had failed to patch a known vulnerability in Apache Struts, a popular open-source web application framework. The patch had been available for months, but the breach compromised the crucial personal data of more than 147 million people.

Therefore, greater attention must be given to secure coding practices as many applications have reached a critical mass in not only their technical debt but the density of security weaknesses and vulnerabilities in the application itself.

This can result in huge losses, that can either be tangible or intangible: 

Reputational damage: The loss of customer trust can have an extremely negative impact down the road. This may include damage to the brand, lost sales, and costly legal problems as a result of a breach. 

Regulatory and compliance impact: If a security breach can cause a company to miss a deadline and/ or contractual obligations. A failure to meet an SLA can land a company in trouble with regulators, resulting in significant fines. 

Remediation costs: Extra work is often needed following a failure or outage to make up for the loss in productivity.

Preventing technical and security debt in the SDLC

Many organizations are already shifting their budget to create a stronger security posture. Last year, Google committed $10 billion over 5 years to fund a program to strengthen cybersecurity.  The Biden administration also requested $2.1 billion in the 2022 discretionary budget for the Cybersecurity and Infrastructure Security Agency (CISA). 

Providing more resources and training to help bolster the professional growth and knowledge of your developers can be the first step in establishing quality standards for all code shipped into production. 

The costs to find and fix vulnerability or defect exponentially grows the later in the software development cycle it’s found and addressed. And as we’ve seen, with so much time spent on addressing technical and security debt, organizations are creating their own losses by forgoing innovation and time spent on new features or products. 

In 2022, a majority of developer teams said DevOps or DevSecOps was their methodology of choice, and it’s no surprise why. DevSecOps integrates security at every stage of the software development lifecycle to deliver better and more secure applications. Security and Development teams continue to work in silos and have tension, but it’s clear that this needs to change to help businesses succeed. DevOps is part of how organizations are trying to break down barriers and reshape culture. The fundamental goal of DevSecOps is to increase collaboration between AppSec/ Security with developers from the very beginning of the software development lifecycle.

Implementing a new way of thinking about addressing technical debt and security doesn’t have to be a monumental feat. Establishing a proactive mindset through training is critical when trying to improve the security awareness and skills of an organization’s developer community. A robust secure-coding education for developers ensures that learning is ongoing, interactive, relevant, and contextual is a necessity. A truly holistic approach must consider what is needed to foster a genuine developer-led security culture. It may require changing the focus from the typical ways of managing and building developer teams.

Creating a culture change isn’t easy, but Secure Code Warrior helps you to identify your security champions and help equip developers and organizations with the right skills to tackle today’s ever-changing security challenges. 

Launching an engaging and scalable secure code program is a worthy investment because of the long-term preventative approach to security, instead of the reactive way of the past. This ultimately helps to mitigate the costly risks of a breach, educate developers on how to find and fix vulnerabilities quickly, and facilitate a more agile way of focusing on product development and accelerated time to market.

Coding Labs: Hands-on secure code training for Developers 

Upskilling is challenging without Interactive Learning 

In a recent industry survey (The State of Developer-Driven Security Report 2022), 40% of developers stated their training wasn’t hands-on enough. Companies invest in security and secure code training but see little evidence in the results i.e. seeing a reduction in insecure code and a reduction in code rework. More times than not, boring and static secure code training modules disengage developers and yield lackluster results.

Developers won’t have a positive impact on vulnerability reduction without a foundational understanding of key concepts, as well as offensive and defensive strategies. Instead, they are often met with a one-sided, static approach that only explains “how to fix” the code in question. In order to truly grasp critical security concepts, developers need to know how the vulnerabilities work, understand their impact, illustrate what patterns cause them, and be shown how to fix them in a context that makes sense to them. 

There are many developers who are motivated to learn but lack the time to invest in a secure code training program - often feeling frustrated by the lack of hands-on experience. They need a go-to source that supports their varied learning styles and delivers realistic training in an environment they are familiar with. However, most trainings require a lengthy virtual desktop setup or lack the content and scenarios that are relevant to their experiences.

It’s unfair to measure their performance or center developer KPIs to include an emphasis on secure coding when they don’t have the skills built up from interactive and relevant learning opportunities. However, the importance of secure software development cannot be overstated, and getting developers on-board is crucial. 

Enter Coding Labs to bring next-level coaching to developer-driven secure coding with interactive modules all within a convenient in-browser IDE. 

Provide the hands-on training developers want  

Coding Labs is a part of Secure Code Warrior’s flexible, tiered approach to learning and improving developer security maturity. Developers can start with the simpler guided walk-throughs and videos, then advance to Missions and our new Coding Labs. 

Instead of being met with unclear and frustrating “right or wrong” guidance, developers can also be confident they’re learning the right way and improve their comprehension with real-time, contextual feedback. 

Developers can choose between self-paced learning paths, or test their skills in courses assigned by their program administrator. Coding Labs is like a personal trainer, with interactive, hands-on modules with real coding and intuitive feedback, developers can go from learning to doing faster and improve their secure coding skills. 
‍

Coding Labs: 

• Provides intuitive feedback and contextual hints to ensure developers know “why is this important” in addition to the “how to fix it”
• Facilitates learning through short-form labs that maximize learning outcomes without eating up productivity
• Does not require spinning up virtual desktops or setups - and is simple to deploy to all developers 
  ‍
  

Build Strong Skills and Practice Secure Coding in Real-Time 

Coding Labs enables developers to learn in an IDE-like environment that simulates the way they work, helping them hone their skills by better engaging with the subject matter without distractions. Developers will learn as they code with intuitive guidance that provides context around the ins and outs of avoiding security vulnerabilities.

As part of the SCW platform, this new experience brings a fresh perspective to developer enablement. Developers can train through a variety of training types built on tiered learning – from explanation videos to hands-on challenges, ranging from easy to fiendishly hard. 

Program admins can choose between self-paced learning or creating customized curriculums with Coding Labs as a learning activity. Developers will build up their skills over time -starting with strong foundations by recognizing core principles and increasing their knowledge over time with real-world practice in writing secure code. 

Coding Labs is like a personal coach for developers to work through a new vulnerability with approachable, guided training - eventually working their way up to more challenging and hands-on experience. Leaders can be confident that developers will find the training more engaging, easier to retain, and ultimately apply to the code base to reduce vulnerabilities and rework.

Curious to Learn more? Book a Demo 

Try Secure Code Warrior for Free

‍

This week, we officially celebrate eight years of Secure Code Warrior. On the one hand, that’s 350 times the length of the Apollo 11 mission, as well as the equivalent of 45,000 games of football, or playing Super Mario Odyssey 5696 times to the end. On the other, it’s just one-thirtieth the lifespan of a Giant Tortoise (250 years, if you’re wondering). In the world of a high-growth startup, it represents a journey of many twists, turns, lessons, and accomplishments, many of which were unimaginable when we were first inking our business plan. 

Between the ever-present threat of recession, military conflict, and some of the most disruptive data breaches we have experienced to date, 2022 wasn’t the most positive year for many, myself included. It would be disingenuous for me to say it was anything but a grind to the finish line, but I remain proud of our resilience in the face of ongoing global challenges. We have an exceptional team, and each one of us is truly dedicated to driving success in enterprise security programs, by placing developers at the heart of a transformational, defensive approach to problems that have existed for a very long time.We have forged our own path and prevailed. While we might not be the only “gamified” cybersecurity education option on the planet, one thing is sure: nobody else has our vision, persistence, or our founding team, and we have been through a lot together.
‍

Our birthday milestones are often utilized to reflect on key events from the past year, but this time, I want to highlight just how special it is that we have achieved such growth while retaining the same six people we crammed into a tiny office on day one.

We found our niche, and work together every day to execute a vision that we believe will change the way developers view their role in security. It’s a big job, but we haven’t forgotten our roots and the importance of our bond.

‍

We have a long road ahead, but with this core and a growing team of enthusiastic, empathetic, and dedicated individuals, I truly believe we can have a hand in changing the status quo of security in software development. 

And you know what makes me so confident? From the beginning, we placed emphasis on diversity and considered it a pillar of strength in the team. The best organizations are built with the contributions of people from varied backgrounds, cultures, and walks of life. We added over one hundred new people to the team in the past year, and I am proud to say we are a melting pot of approaches that culminate into a formidable, talented group of human beings that can launch us into the proverbial stratosphere. 

If the past three years have taught us anything, it’s to expect the unexpected, but the constant that I can rely upon is that we’ve got each other’s backs, and slowly, but surely, we’re helping make software safer. And we’re doing it without losing our sense of adventure.

Here at Secure Code Warrior, we’re constantly innovating to help equip developers and organizations with the right skills to tackle today’s ever changing security challenges. 

We’ve compiled the top features and updates to our platform, as well as the resources and guidelines published this year, to help your organization secure your software through developer-driven security at the start of the software development cycle.

Highlights from 2022

2022 was a big year for secure code learning. Here are some metrics we’ve pulled from our users to show the scope and scale of our learning platform.
‍

‍

2022 was a big year of building, let's run through a few of the top highlights!

Top Releases in 2022

Coming soon: Coding Labs

With Coding Labs, developers can advance their secure coding skills with a hands-on learning experience in a one-of-a-kind fully powered in-browser IDE. By training in a familiar environment, it’s easier than ever to go from learning new skills to applying them to actual code and preventing vulnerabilities before they’re introduced.

Coding Labs is currently available in preview for customers, reach out to your SCW representative to learn more about getting access if you haven’t already.

SCORM LMS Integration

SCORM is the international standard for e-courses. If your course is published in the SCORM format, you can be sure that almost any learning management system (LMS) will recognize it.

The SCORM LMS integration allows admins to easily manage their secure code training program alongside their other training platforms in one place, saving you time and letting you focus on the important things ,like focusing on more impactful ways to improve your training programs. 

Secure Code Warrior Connector for Okta Workflows 

This integration helps to prevent insecure code from being introduced to your codebase with the power of a security-proficiency check that can be built into your flow. 

When working on code bases, such as in a GitHub repository, you can set required lessons and assessments as qualifiers for coding in the base. This empowers your leaders to make sure each developer is ready to work in the relevant code base, helping level up the security posture of the entire organization. 

Learn more about Okta + SCW 

See the Demo here 

Learn more and see a live demo of Coding Labs in this webinar on Developer Productivity and Enablement.

Check out what’s new in our Blog

See the Okta Demo and our other integrations in one of our ProductTalks. 

Vulnerabilities in the news 

Secure Code Warrior offers a rapid response to top vulnerabilities to ensure you're aware of the situation and what to do. Plus, when possible we'll even create a simulation where you can get hands-on experience in the mechanics, and you can better protect your application against future threats. 

2022 was an eventful year when it came to vulnerabilities and attacks rearing their ugly heads. From a log4j vulnerability putting millions of applications at risk, to a python tar traversal path that took nearly 15 years to be fixed. Secure Code Warrior has the guidelines and free test missions to prepare you for these types of vulnerabilities. 

• Log4J vulnerability
• Trojan source
• Spring vulnerability
• NGINX and Microsoft Windows SMB Remote Procedure Call Service vulnerability
• Hardcoded credentials
• Python path traversal bug

Additional releases and updates 

At Secure Code Warrior, we are all about scalable and engaging education that meets the developer where they are, no matter which level they are at. In June, we kicked off our quarterly ProductTalk webinar series which covers all of the exciting things that we are rolling out to our customers.

2022 saw many additions to the languages and content available at SCW, as well as critical improvements to the admin experience, and forays into more detailed reporting. 

Flexible and diverse education

Secure Code Warrior contains training content in 63+ different languages (and counting), from the most popular (Java and C++) and the rising stars like GO and Typescript. In 2022 we added even more content and languages to our repertoire. 

• NEW OWASP course templates to help build upon your developers’ baseline knowledge and security awareness.
• New language - SAP:ABAP  Niche languages like SAP:ABAP get the SCW treatment with training content that is delivered in developers’ preferred format - code snippets and samples

Streamlined configuration and administration

We know how important it is to make it easy to deploy and maintain secure coding programs. In 2022, we made a lot of intentional improvements to make our admin’s jobs easier and create an experience that is headache free and intuitive.

• Course Tabular View - Now it’s even easier for you to create courses for different development teams quickly.
• Course Editing and Versioning - Admins can edit their existing courses and create basic course versions without having to create a brand new course
• Bulk Actions - Do more with fewer clicks and make changes to courses from one place instead of applying changes across every language.
• Continue Button - Access Courses from the Home Screen with a "Continue" button to the new homepage displays a list of activity cards to help users quickly resume the modules they have previously started.

Reporting and analytics

For company admins and team managers, the need to monitor activity across the organization is crucial to understanding your developer’s engagement and measuring the success of your training program. By accessing key metrics like number of courses completed and time spent on courses - either at the team or individual level, even more strategic decisions can be made towards building richer training programs.

• Training Metrics - Report on the progress and success of your application security program with metrics that show how well a developer is progressing in their training rather than how long they’ve spent on the platform.

• Assessment CSV downloads - Quickly understand your developers strengths and weaknesses to assess your strategy and maturity, with CSV downloads that include all versions of the assessment rather than just one version.

Tech stack integrations

Secure Code Warrior’s approach to integrations ensures your SCW program is built directly into your preferred products and developers’ workflows to enhance user experiences and enable just-in-time remediation, as well as stickier learning outcomes. 

• Secure Code Warrior for GitHub - Enable contextual training inside GitHub workflows by appending contextual application security training material to SARIF files or directly within the issues and pull requests, giving developers access to knowledge when they need it most in order to help you ship quality code faster.

Learn more about SCW+GitHub 

• Secure Code Warrior for GitLab - Embed highly relevant Secure Code Warrior training links to the Vulnerability Details section of vulnerability reports inside GitLab. This helps to reduce the time gap between learning and application of knowledge to ensure future usage.

See the Demo

Learn more about SCW+GitLab  

• Synopsys Seeker integration - Link Secure Code Warrior resources, videos, and training links to vulnerability findings within Seeker. Micro-learning within Synopsys Seeker helps to identify and resolve vulnerabilities with easily accessible training guidance within Seeker. 

Learn More about Synopsys + SCW

Devlympics 2022

Secure Code Warrior hosted its second annual Devlympics secure coding competition on October 19th, 2022. We’re proud to share that Devlympics 2022 was even bigger than last year! This year's event included 2910 registrations with almost 800 players in either the Champion or Ultimate Warrior arenas, and has proven to be a huge success in helping developers of all experience levels advance their secure coding skills. 

During the 24-hour tournament, developers from around the world competed in offensive and defensive coding challenges in their choice of programming languages. Developers had the opportunity to compete against their peers across a range of skills, from hobbyist to professionals within the chosen languages.

At the same time, security experts were invited to the Secure Code Forum Discord channel to live-play and to share feedback, swap jokes and memes, and learn more about Secure Code Warrior. 

Resources to help you succeed 

Secure Code Warrior is one of four companies named in the Gartner® Cool Vendors™ in Software Engineering: Enhancing Developer Productivity report. In addition to offering innovative solutions that help organizations boost developer productivity and mitigate security risks, Secure Code Warrior has released a number of resources and research on the importance of Developer Driven Security. 

Whether you’re an AppSec manager struggling to get engagement and input from your developer teams, or if you’re an engineering manager working to upskill your teams’ security-posture, we’ve got you covered with the guides and tools you need to advocate for developer-driven security in your organization. 

• Secure Code Coach - a resource hub for developers to learn and engage with members of their community to learn more about secure coding ‍
• Whitepaper: The State of Developer Driven Security‍
• Whitepaper: The Challenges to Improve Software Security ‍
• The secure code training blueprint‍
• Steps to development team security maturity‍
• The developer security maturity matrix
• The importance of security maturity in developer teams‍
• Security Maturity Quiz 
• Your Handbook to Developer Driven Security 

Interested in trying out Secure Code Warrior but don’t have an account yet? Sign up for a free trial account today to get started.

Talk to Sales to learn more. 

Follow Secure Code Warrior on Twitter to get updates about the latest releases and improvements.

That’s all for now, see you in 2023!

‍

‍

The Cost of Poor Code 

Leaps in technology are making it easier than ever for developers to ship code faster than ever before. This can be exciting for innovation, but daunting when it comes to scaling up the quality and security in software. Justifying the costs of additional tools, training programs, and investment in upskilling developers can seem like a “nice-to-have” vs. a critical business function if the velocity of the code being shipped is maintained.  

Shipping code faster may have gotten easier, but unfortunately shipping secure code hasn't -  leaving organizations vulnerable to more threats than ever. The cost of cybercrime is staggering across the globe, and it’s rapidly increasing. In fact, in 2020, the cost of cybercrime was approximately $1 Trillion. On average the cost of a data breach is $4.35M - spreading across lost business from current customers and potential customers, as well as resources spent handling the detection, escalation and rework. 

Despite these astronomical costs, over half of organizations do not require developers to do formal secure-code training annually.

Security professionals all know that it can feel like playing a game of whack-a-mole when it comes to finding and fixing vulnerabilities. Even if you already have a security program with a remediation strategy, there's always an opportunity for improvement. Most organizations find that when their disaster recovery or backup capability is put to the test, their approach to security is not as robust as they once thought. If strengthening your organization’s resilience from cyberattacks is one of your top priorities, shifting the perspective left to your developers should be within your plans to continue improving your security posture. A skilled, empowered developer team that builds secure code from the start, and is knowledgeable enough to locate and fix vulnerabilities rapidly is your most cost-effective means of mitigating risk.   

A misconception when it comes to developer education is that it's simply a cost to the business or even an insurance policy. According to Klaus Klaus Klinger, DevSec Awareness Evangelist at Allianz, “The whole thing has to start in the heads of management. Investing in the training of developers is not a lost investment, but an investment into quality, productivity, and the reputation of the company”.

ROI can often be difficult to quantify in this space, but ultimately what organizations should be thinking about is how their security posture helps them to reduce risk, streamline their approach, and save time and productivity for their developer teams. 

How can one Quantify ROI in Cybersecurity Costs?

When it comes to ROI, it’s important to think about it in two different frames: the cost savings of mitigating risk vs. the impact of your security training.

Let’s consider this all-too-common example: a vulnerability or breach causes an e-commerce site to be forced offline for several days while its teams search for the problem and how to fix it. The cost of the failure to remediate can be quantified in lost revenue during the outage, the impact of stolen credentials, the loss of customer trust (resulting in long-term reduced sales), and the overall productivity lost while fixing the problem. 

This really boils down to a cost/benefit analysis. The key areas you will want to assess are your company’s security maturity level, your company’s risk acceptance levels, and the areas in your code that need to be maintained or improved.

People often focus on the wrong metrics to determine success and value. Perhaps we should concern ourselves less with the return on the initial investment of the program, and instead, measure the impact of the program itself. 

Measure to Prove Impact

In order to establish ROI, you have to create measurable goals. This begins with assessing your developers’ secure coding knowledge and understanding where they need to grow their skills. 

A starting point would be to measure engagement to help you to make strategic decisions as to how to build richer training programs. Most importantly - measure the impact. Start by looking at the number of weaknesses that get picked up in the software development life cycle through code analysis, bug bounties, or classic vulnerability testing before you start the program in each team. One of the simplest ways to know your training program is having the desired outcome is by measuring the decrease in vulnerabilities being introduced into your codebase overall.

‍

Top Questions to Assess ROI:‍

1. Are we streamlining our approach?

‍Are you throwing more tools at the problem or solving it at its root cause? Adding more tools to your tech stack creates a “swiss cheese” method approach to finding and fixing vulnerabilities. They also increase operational costs with little impact on the source of many vulnerabilities - the code. Though scanning and pentesting tools should absolutely be a part of your arsenal, they should not be your last line of defense. ‍

2. Are we improving efficiency and productivity?

Time spent on exhaustive code reviews and reworks from code sent back from AppSec can result in a major loss of productivity. Reducing fire drills by empowering and enabling developer teams to be hands-on with their secure code training should be a good benchmark for assessing the positive impact of your security program. ‍

3.Are we lowering risks?

Finding and fixing a vulnerability can be like solving a large puzzle, which sometimes can take days, weeks, or even months to complete with a robust solution. Empowering developers to own remediation at the source lets AppSec focus on risk monitoring and strengthening the security posture of the organization.

4. Are we increasing velocity (but still maintaining quality)?

Shipping code quickly is not always a good thing. Cutting corners and introducing vulnerabilities into the code can create many headaches in the future and accumulate technical debt. Short-term thinking is not the answer here. One can mitigate risk by securing their code from the start, so that the problem doesn’t compound itself in the future. 
‍

Recommended Metrics to Track:  

• Engagement - how much time are you budgeting for training and how are developers engaging? Are they completing courses, assessments, and participating in tournaments? 
• Skills - where are the areas of strength? What areas have you identified as needing improvement? 
• Vulnerability reduction - have you noticed a measurable decrease in vulnerabilities during code review? Are you seeing less rework come back from AppSec? 
• Productivity - how long does it take to remediate an issue? Have you noticed an increase in productivity or velocity with vulnerability reduction? 

Create Value By Shifting Left

Breaches and vulnerabilities have been rapidly increasing each year. It's important to start proactively building a holistic approach to security - starting first with your code. This will help to: 

• Reduce complexity by investing in your most valuable resources - your people, instead of throwing money at tools that only solve part of the problem 
• Improve efficiency and overall effectiveness by limiting rework or fixes that would normally be identified by AppSec after the code is deployed 
• Mitigate risk and achieve compliance, avoiding costly fines, the loss of customer trust, or worse - the cost of a data breach 

Avoid short-term thinking and quick fixes. They can only result in technical debt and more costs down the road. Plan for the long term by harnessing the power of upskilling and enabling your developers to be your best line of defense against vulnerabilities and cybercrime, and see the impact and cost savings for yourself.

‍

In response to major security breaches like the SolarWinds campaign, which used a software update process to infect over 18,000 users of the popular Orion management software, including many top corporations and government agencies, there is an increased push for more effective developer-led security efforts. Organizations of all sizes are starting to question their ‘software supply chain’, and demanding that the developers making their software have verified security skills and awareness.

Even the United States government is calling for better developer-led security practices and a strengthening of the software supply chain. Those concepts are a key component of anExecutive Order on Improving the Nation’s Cybersecurity issued by President Biden.

Overall, the developer community has been receptive to the idea of shifting security to earlier in the software development lifecycle (SDLC) through programs and movements like DevSecOps.And when recently surveyed, the developer community said that they valued the security training that they received to support that effort.

Software vulnerabilities continue to be exploited, and even developers admit that they sometimes leave vulnerabilities in their code.

Why?

The survey confirmed that writing quality code was a top priority for the development community. However the survey also identified several reasons why the training being given to developers, while seen as valuable, is nevertheless falling well short of the goal of helping to secure the software supply chain. 33% said that they were still leaving vulnerabilities in their code because, even after whatever training was provided, they still did not know how to identify or fix known vulnerabilities. And an overwhelming 92% said they needed at least some level of additional training in security, while 50% said that a lot more training was required.

It’s clear that the developer community values whatever training they are being given. However, when questioned about the barriers to adoption of secure coding practices, a lack of time was cited as the number one reason, followed by a fifth of respondents citing a lack of a cohesive approach as the culprit. Training was seen more as a one-off event instead of a part of an ongoing strategic effort to incorporate security into developer workflows and utilized on a daily basis.

As such, developers aren’t enabled to build and retain secure coding skills as part of a cohesive and ongoing program across their organizations. We can also conclude that the training currently received is not particularly effective or comprehensive given that many developers say they still can’t identify and fix common vulnerabilities.

92% of developers said they needed at least some level of additional training in security, while 92 50% said that a lot more training was required.

What can organizations do to fix the situation?

It’s interesting that developers overwhelmingly said that they needed more security training. And while they valued the training they received, that might be a situation where they are simply happy with whatever they can get.

When asked to comment on ways to improve their training, their real thoughts on the issue began to surface. In general, most of the training that developers received was limited, non-interactive, only somewhat targeted at their job responsibilities, and not part of an overall or ongoing plan to help improve their organization’s security skills and awareness.According to the developers surveyed, if organizations want to improve the effectiveness of the training being offered, it should be presented as one part of a comprehensive approach to promoting a greater emphasis on security throughout the SDLC. In addition, developers had specific requests to make their training more valuable. One of the most popular suggestions was to include more use cases and hands-on examples of situations they were likely to encounter from a security perspective. Another popular response to improve effectiveness was for education to eventually cover increasingly complex or difficult scenarios – a move that would likely also require a more cohesive approach and a long term plan for continual learning and skills development.Developers also stressed the need for more interactivity and maybe even adding a competitive element. In general, training where users simply watch a video or listen to a lecture with no opportunity for hands-on, contextual learning is not seen as effective or especially valuable when trying to teach a complex and (perceived to be) difficult skill like secure coding.

Developers also stressed the need for more interactivity and maybe even adding a competitive element.

What other elements are important when adopting a cohesive security approach?

Training is of course critical when trying to improve the security awareness and skills of an organization’s developer community. And ensuring that learning is ongoing, interactive, relevant, and contextual is a necessity. But a truly cohesive approach to better security awareness goes even beyond that.

A truly cohesive approach must consider what is needed to foster a genuine developer-led security culture. It may require changing the focus from the typical ways of managing and building developer teams. For example, developers have traditionally been evaluated based on how quickly they could code. But a cohesive approach to security might involve changing those long held metrics and values. Instead, evaluations could shift emphasis away from rewarding raw speed and instead reward those developers who can create quality code that is also secure -meaning that it is free from vulnerabilities.

It could also involve the developer community itself as part of the effort. Instead of simply mandating security to developers, consider creating or appointing security champions from the community.These would be talented and security aware developers who distinguish themselves either in training or as part of the newly focused metrics evaluations. They should also be willing to help other developers enhance their skills, thus improving the development community from within.

A truly cohesive approach must consider what is needed to foster a genuine developer-led security culture. It may require changing the focus from the typical ways of managing and building developer teams.

For further reading

Whitepaper: The challenges (and opportunities) to improve software security

Whitepaper: The preventative developer-driven approach to software security

Whitepaper: The DevSecOps Superbowl: How security champions can support your team to victory against late-stage vulnerabilities

Report: The state of developer-driven security 2022