Why developers are our best defence against cyberattacks

Matias Madou, Co-Founder & CTO at Secure Code Warrior, explains why developers are our best defence against cyberattacks.
Matias Madou, Co-Founder & CTO at Secure Code Warrior, explains why developers are our best defence against cyberattacks.

As restrictions ease and we start to see the light at the end of the tunnel, it could be years before we fully adjust to life post-pandemic. At the same time, many organisations are choosing to continue to operate on a remote or hybrid basis; the influx of new tools and technologies designed to support a remote workforce brought with it a new set of vulnerabilities that IT and security teams were not prepared for.

Criminals quickly caught on to the fact that organisations were not set up for remote work and took advantage of the disruption, launching a barrage of attacks over the past year. In this unknown territory, traditional cybersecurity defences can’t be relied on to hold the fort; it’s developers that need to step up to become the new frontline defenders.

For organisations to better defend against cyberattacks, developers need to be given ownership of their vital role in cybersecurity, ongoing support to enable them to share responsibility, and credit where it’s due for their successes. In addition, developers need continuous upskilling to keep pace with advances in technology, access to the right resources, and a framework of contextual knowledge that teaches practical secure coding skills, not to mention the importance of quality, safe code. It’s the responsibility of business leaders to champion these new approaches to security from the top, empower CISOs, CTOs and security executives to invigorate existing security programmes and prioritise developer-centric learning.

Preparation is key

Cyberattacks are becoming more and more sophisticated, and current cybersecurity tools are struggling to keep pace. Traditional tools like firewalls and antivirus software can stop some attempts, but the attacks that do slip through the net can take an average of 280 days to identify and contain, according to findings from IBM. The Equifax data breach, for instance, which exposed information on 147 million people and cost the company over $1.7 billion, went undetected for 76 days.

When it comes to cybersecurity, the reality is that many organisations are still relying on reactive defences. The strategy behind this approach relies on either the remediation of bugs in code that has already shipped or to incident response in the event of a disaster. This approach is very expensive and overlooks a proactive approach that utilises the human element of security. By investing in their security teams, organisations can regain more control of the situation, helping to eliminate vulnerabilities at the start before passing common, fixable bugs onto an already overloaded security tool.

Security should be the priority, not speed

For a long time, a developer’s skill has been measured against how quickly they can develop code, with security as an afterthought. We need to rethink this seal of quality and shift the focus from speed to security. By choosing to support developers with viable routes to upskilling, organisations can improve their whole software pipeline. There is a real opportunity here for business leaders to reshape this outdated notion and prioritise high quality, secure code.

Providing relevant, in-depth educational experiences that provide the foundation of secure coding skills will help developers see the bigger picture and understand how they are helping prevent cyberattacks caused by common vulnerabilities. Coupled with incentives for writing secure code, CISOs and security executives can encourage developers to become key in their cybersecurity teams.

Why we should put developers first when it comes to security

According to a study carried out by the IBM System Science Institute, the expense of fixing a vulnerability increases by a factor of six once it leaves the development environment. If the vulnerability is discovered during a traditional testing process after the programme or app has been completed, it becomes 15 times more expensive. Furthermore, if an organisation finds a bug or a vulnerability once a programme is placed in the production environment, it’s a staggering 100 times more detrimental to an organisation’s bottom line.

The initial financial outlay of training developers to write secure code can soon be justified once common security bugs start to be eliminated before progressing down the development pipeline. If business leaders invest in upskilling developers and focusing on a more effective, long-term solution, they can actively avoid paying the price of a security breach.

Staying one step ahead

On-the-go skills development programmes don’t always have the best reputation and not always fairly. In particular, the technology and cybersecurity industry is because they’re constantly evolving, so guidelines are outdated and sometimes nearing obsolescence before they’re even finished.

Learning should be continuous to remain effective. Developing a flexible upskilling programme can result in better coding and developers with greater skills. Several developer-led programmes use learning tools, which become part of the process itself, alerting the developer if they write code with a known vulnerability, facilitating contextual, accessible teaching moments by explaining how the developer could have completed the same action more securely.

READ MORE:

Secure code is quality code

Many common vulnerabilities exist because developers haven’t followed best practices in secure coding, and they are using poor coding patterns. This is often not their fault, and the culture and facilitation of security skills for them leaves a lot to be desired. Secure coding and quality coding are very much interlinked. The more time developers familiarise themselves with the latest security practices; the more conscious they are of creating high-quality code.

In a world where cyberattacks constantly threaten organisations, investing in developers is a wise move for businesses. Catching vulnerabilities in the early stages of software development means that they don’t become a security headache further down the line.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Author

  • cyberattacks, Security & Data, Why developers are our best defence against cyberattacks

    Matias Madou is Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solution for companies such as HP Fortify, and founded a company called Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

How to defend against Active Directory attacks that leave no...

Amber Donovan-Stevens • 16th September 2021

Cybercriminals are using new tactics and techniques to gain access to Active Directory in novel ways, making their attacks even more dangerous—and more necessary to detect. This article will explore a few types of attacks have been seen in the wild that leave no discernable trail or, at least, any evidence of malicious activity, explains...

8th worst in Europe: Cybersecurity for UK business

Amber Donovan-Stevens • 10th September 2021

In the article, Hayley Kershaw, AdvanceFirst Technologies, analyses the data from recent research to identify successful cybersecurity practices from countries achieving the top-ranking and how, with the UK’s commitment to cybersecurity, businesses can improve.

Join our webinar on 28th September: How the digital nomad generation influences business behaviour

X