The Security Innovation Europe Blog

Cloud development has already proven to be one of the most revolutionary changes to ever affect the software industry. With a growing demand for IaaS, PaaS and SaaS (Infrastructure, Platform and Software as a Service) applications, development teams are increasingly setting their sights on cloud-based projects – but in many instances, failing to account for the threats posed by the new paradigm.

With each of the myriad benefits of cloud development comes a host of serious risks and vulnerabilities. In order to protect your applications from attack, and secure sensitive data, it’s essential for your development teams to be well-versed in the unique security challenges posed by cloud development.

If you’re looking to improve application security, there are two crucial steps to take. Your organisation has to first identify and choose a suitable training program; and, when you’re ready to roll-it out across the organisation, enforce it.

It can be hard for developers to prioritise security, so to make training as effective and engaging as possible, we’re looking at 8 ways to enforce developer security training.

For organisations looking to train their developers in application security, there are two possible solutions: in-house or outsourced training.

Whilst in-house training from resident security professionals may seem like a great idea, the efficacy of your security training (and its return on investment) will usually be much higher with outsourced training.

Secure application development should be a priority for all developers – but with so many different technologies, languages and frameworks in use, it can be a challenge for developers to prioritise effective security.

In addition to the basic tenets of secure application development, developers need to understand which aspects of their chosen speciality differ from other development frameworks. .NET is one of the more common specialities, but relatively few developers are aware of the framework’s security best practices.

As with all types of specialised development, there are a handful of security issues and development tools which are unique to Microsoft’s .NET system. To train secure .NET developers, it’s essential for your organisation to implement training that covers these three crucial areas.

Mobile devices play a crucial role in day-to-day life. With the increasing popularity of BYOD within the workplace, smartphones and tablets are handling a growing amount of sensitive data. In order to prevent your mobile applications from jeopardising this data, it’s essential that developers recognise the most common security mistakes made during mobile application development.

Java is one of the world’s most popular programming languages, with Java applications run on an estimated three billion devices. Unfortunately, this popularity is also responsible for its status as one of the most common sources of serious security vulnerabilities.

According to research by Kaspersky Lab, Java vulnerabilities were responsible for 50% of all cyber-attacks in 2013. The company identified 161 vulnerabilities over the course of the year, but just 51 of these vulnerabilities were published and publically recognised. Of those 161 issues, six were deemed to be critical in nature – and it was these six exploits that accounted for the majority of Java security breaches.

If you aren’t careful, the costs of developer security training can quickly snowball. As well as the sticker price of security training, it’s essential to factor in the additional opportunity costs associated with training.

These costs can vary hugely between classroom-style training, and eLearning courses – and to maximise your security training investment, it’s crucial to understand the real costs of developer security training.

Whilst most organisations understand the need to improve their security, many take action in the wrong way. Despite spending hundreds of thousands of pounds on the latest security tools, they fail to meaningfully reduce the vulnerabilities, bugs and risks of their development projects.

Whilst the latest and greatest SaaS security tools are fantastic at identifying potential threats, they fail to address one of the main contributors: developer behaviour. In order to improve security in a meaningful and cost-effective way, your organisation’s first course of action needs to be developer security training.

Most developers specialise in a specific aspect of software and application development; each with their own set of unique benefits and potential security vulnerabilities. Whilst generalised developer security training provides a baseline of security knowledge, it lacks the scope and depth necessary to cover each of most developer specialities.

Even if a course is comprehensive enough to cover a broad range of developer roles, many of the idiosyncrasies of each platform and language simply aren’t relevant to developers with a different specialty.

As with all programming languages, PHP has a unique set of uses, idiosyncrasies and, crucially, security vulnerabilities. In order to effectively train developers in the best practices of secure PHP development, your organisation needs to build upon the basic tenets of developer training, and implement a security training program specific to PHP.

To help you develop a comprehensive training program for your developers, we’re looking at the fundamental elements needed to train secure PHP developers.