Matias Madou, Co-Founder & CTO at Secure Code Warrior, explains why developers are our best defence against cyberattacks.
As restrictions ease and we start to see the light at the end of the tunnel, it could be years before we fully adjust to life post-pandemic. At the same time, many organisations are choosing to continue to operate on a remote or hybrid basis; the influx of new tools and technologies designed to support a remote workforce brought with it a new set of vulnerabilities that IT and security teams were not prepared for.
Criminals quickly caught on to the fact that organisations were not set up for remote work and took advantage of the disruption, launching a barrage of attacks over the past year. In this unknown territory, traditional cybersecurity defences can’t be relied on to hold the fort; it’s developers that need to step up to become the new frontline defenders.
For organisations to better defend against cyberattacks, developers need to be given ownership of their vital role in cybersecurity, ongoing support to enable them to share responsibility, and credit where it’s due for their successes. In addition, developers need continuous upskilling to keep pace with advances in technology, access to the right resources, and a framework of contextual knowledge that teaches practical secure coding skills, not to mention the importance of quality, safe code. It’s the responsibility of business leaders to champion these new approaches to security from the top, empower CISOs, CTOs and security executives to invigorate existing security programmes and prioritise developer-centric learning.
Preparation is key
Cyberattacks are becoming more and more sophisticated, and current cybersecurity tools are struggling to keep pace. Traditional tools like firewalls and antivirus software can stop some attempts, but the attacks that do slip through the net can take an average of 280 days to identify and contain, according to findings from IBM. The Equifax data breach, for instance, which exposed information on 147 million people and cost the company over $1.7 billion, went undetected for 76 days.
When it comes to cybersecurity, the reality is that many organisations are still relying on reactive defences. The strategy behind this approach relies on either the remediation of bugs in code that has already shipped or to incident response in the event of a disaster. This approach is very expensive and overlooks a proactive approach that utilises the human element of security. By investing in their security teams, organisations can regain more control of the situation, helping to eliminate vulnerabilities at the start before passing common, fixable bugs onto an already overloaded security tool.
Security should be the priority, not speed
For a long time, a developer’s skill has been measured against how quickly they can develop code, with security as an afterthought. We need to rethink this seal of quality and shift the focus from speed to security. By choosing to support developers with viable routes to upskilling, organisations can improve their whole software pipeline. There is a real opportunity here for business leaders to reshape this outdated notion and prioritise high quality, secure code.
Providing relevant, in-depth educational experiences that provide the foundation of secure coding skills will help developers see the bigger picture and understand how they are helping prevent cyberattacks caused by common vulnerabilities. Coupled with incentives for writing secure code, CISOs and security executives can encourage developers to become key in their cybersecurity teams.
Why we should put developers first when it comes to security
According to a study carried out by the IBM System Science Institute, the expense of fixing a vulnerability increases by a factor of six once it leaves the development environment. If the vulnerability is discovered during a traditional testing process after the programme or app has been completed, it becomes 15 times more expensive. Furthermore, if an organisation finds a bug or a vulnerability once a programme is placed in the production environment, it’s a staggering 100 times more detrimental to an organisation’s bottom line.
The initial financial outlay of training developers to write secure code can soon be justified once common security bugs start to be eliminated before progressing down the development pipeline. If business leaders invest in upskilling developers and focusing on a more effective, long-term solution, they can actively avoid paying the price of a security breach.
Staying one step ahead
On-the-go skills development programmes don’t always have the best reputation and not always fairly. In particular, the technology and cybersecurity industry is because they’re constantly evolving, so guidelines are outdated and sometimes nearing obsolescence before they’re even finished.
Learning should be continuous to remain effective. Developing a flexible upskilling programme can result in better coding and developers with greater skills. Several developer-led programmes use learning tools, which become part of the process itself, alerting the developer if they write code with a known vulnerability, facilitating contextual, accessible teaching moments by explaining how the developer could have completed the same action more securely.
- Proofpoint: why email is the top cybersecurity threat in 2021
- Supporting your remote workforce: cloud migration for your business in five steps
- SolarWinds IT Trends Report 2021: Building a Secure Future
- Snow Software on cybersecurity trends and challenges in 2021
Secure code is quality code
Many common vulnerabilities exist because developers haven’t followed best practices in secure coding, and they are using poor coding patterns. This is often not their fault, and the culture and facilitation of security skills for them leaves a lot to be desired. Secure coding and quality coding are very much interlinked. The more time developers familiarise themselves with the latest security practices; the more conscious they are of creating high-quality code.
In a world where cyberattacks constantly threaten organisations, investing in developers is a wise move for businesses. Catching vulnerabilities in the early stages of software development means that they don’t become a security headache further down the line.