There are few organisations who don’t understand the most basic tenet of secure application development: the cost of remediating vulnerabilities increases as you progress through the software development lifecycle.
In spite of this fact, organisations everywhere go about securing their applications in an entirely backwards way. Instead of investing into secure developer training, and reducing the amount of vulnerabilities making it into an application, they instead prioritise visibility.
Organisations spend hundreds of thousands of pounds on security testing tools, without any level of investment in training. At best, these organisations end up with a list of vulnerabilities so huge they can’t all be remediated; and at worst, expensive investments end up as shelfware, with no real impact on vulnerabilities or security.
The Problems of Prioritising Security Education
It’s common knowledge that developers unwittingly produce vulnerabilities in their code – but instead of investing into education to reduce the creation of vulnerabilities, organisations are spending money on finding the vulnerabilities. Huge investments are made into testing and visibility, only to uncover information we already knew.
If both problem and solution are so obvious, why do so few organisations invest into effective security training programs?
Over the last decade, security companies and consultants have focused their efforts on selling security tools into organisations. ‘Line of code’ visibility has become the most common security creed, despite the fact that identifying vulnerabilities is only half the problem, and most organisations lack the resources to remediate even a fraction of the vulnerabilities they find.
‘Improved visibility into potential risks’ is an easier sell than ‘improved developer security knowledge’, appearing, at least on the surface, to offer more tangible benefits. As an executive, it’s far easier to solicit investment to identify vulnerabilities than it is to fund training. This is a situation that’s exacerbated by the economic climate, and since 2007-2008, training is often the first budget item to be cut.
Identifying the Benefits of Developer Education
Crucially though, the benefits of improved developer security knowledge are far from intangible. When implementing a security training rollout, it’s possible to track the impact of developer education, both in terms of reduced vulnerabilities and cost savings.
- Before rollout, perform a basemark calculation to identify how many vulnerabilities are currently coming into test.
- Start the education program, and periodically benchmark the number of vulnerabilities making it into test. Test at 3 months, and compare the number of identified vulnerabilities to those found before rollout. Repeat at 6 months, and so on.
With a developer security training program in place, the number of vulnerabilities making it into finished code will decrease. As the program develops, the value proposition of further security training becomes clear, with developer education creating a factor of X fewer vulnerabilities, a cost saving of Y, and a return on investment of Z.
Instead of a laundry list of thousands of vulnerabilities, the organisation will find itself faced by a smaller selection of vulnerabilities. These will be far easier to prioritise and remediate, and serious vulnerabilities will be more apparent. This reduces the need for security teams to approach the business to stop the application, or new functionality, from going live. A potential loss in competitive edge is a hugely powerful incentive for developer training, making it easier to sell the benefits of developer training in terms the C-suite will understand.
The Essential Nature of Security Training
It’s common knowledge that application vulnerabilities pose a serious risk to the profitability and reputation of an organisation. We know that improving a developer’s security knowledge will reduce the number of vulnerabilities that make it into a finished product. We know that vulnerabilities can dramatically increase the costs of launching a new application, and most importantly of all, we know that testing alone won’t solve these problems.
In order to reduce the costs of identifying and remediating vulnerabilities, and the costs of rolling out your next application, education is essential – and it’s never too soon to improve developer security knowledge.
