Wednesday, November 29, 2023

Stop Expecting Developers to Write Secure Code

[By Eitan Worcel, CEO and co-founder, Mobb.ai]

While it is expected that organizations do as much as possible to secure their software applications, expecting developers to write secure code only sets both up for failure. The root of the issue is that secure coding isn’t typically taught at schools where developers learn the basics, and when companies focus on speed above everything else, processes and well planned security architecture get kicked to the side in order for developers to deliver fast, secure architecture. Even if organizations provide security training or require third-party certificates, it’s not enough to override the core focus of why developers are hired in the first place – to create and build the technology we rely on to advance our society.

Coding is an artform as much as it is a computer science. The creative nature of code paired with the rigidness of security brings to light a crucial oversight in the industry: expecting developers to excel in secure coding from the get-go without a foundational emphasis is not just impractical—it’s unrealistic. For secure coding to become the norm, organizations need to take on the responsibility of making security an organic part of the development process which also means investing time in proper threat modeling and building good security architecture. Only then can organizations ensure that innovation isn’t stifled by security concerns.

The Reality of Secure Coding Expectations

The industry’s long-standing belief that on-the-job training is sufficient for developers to master writing secure code and incorporate the skill into their day-to-day workload overlooks several key realities. Firstly, as I mentioned above, secure coding is often not included in the standard educational curriculum for developers, which means it isn’t a skill they become deeply familiar with during their early learning phases. Secondly, the day-to-day demands of their roles do not typically require a continuous engagement with secure coding practices.

This creates a disconnect where embedding secure coding into a developer’s routine, even with multiple training sessions, remains an ambitious and unlikely goal. Training, while valuable, doesn’t necessarily transform developers into security experts. This gap between expectations and reality is highlighted in Secure Code Warrior’s ‘The challenges (and opportunities) to improve software security’ 2022 whitepaper. The findings are telling: 33% of developers are uncertain about what makes their code vulnerable, and 63% find the art of writing secure code challenging.

Where Companies Miss the Mark

The ‘State of Developer-Driven Security’ 2022 survey has indicated a glaring gap in the industry. Despite 75% of managers acknowledging the need for more training in security frameworks and encouraging developers to learn or adopt secure coding practices, many companies still fail to incorporate these standards into their hiring practices or job descriptions. If secure coding isn’t identified as a key hiring criterion or a defined responsibility within roles, employers can’t then expect developers to make it a priority.

However, the industry is beginning to recognize this discrepancy. A notable 82% of managers have started showing a preference for hiring developers who already possess secure coding skills, but only 66% of managers look at secure coding skills when assessing new hires and only 44% evaluate those skills via a written test. This shift points to a broader issue: the divergence between industry expectations and the practical reality of software development. Secure coding is a specialized skill that demands ongoing practice and support beyond theoretical knowledge.

Embracing a New Standard in Software Development

The evolution of software development hinges on effectively integrating security into its development core processes. Educational institutions have a pivotal role in this transformation, as they are responsible for instilling foundational skills in future developers. This approach aims to nurture a new generation of developers for whom security is a natural and essential element of software creation, thereby establishing a foundation where innovation intrinsically includes security considerations.

In parallel with these educational efforts, businesses have a crucial role in shaping a conducive environment for secure coding. This responsibility extends beyond integrating security into operational and recruitment strategies; it also involves conducting a threat modeling process, adopting tools that make securing code simple and aligned with developers’ core skill sets and workflows. By embedding security technology into processes instead of expecting and relying on human compliance allows businesses to align their pursuit of creative innovation with a steadfast commitment to security. This balance is needed to achieve a future in which technological breakthroughs are not only pioneering, but also securely engineered by design.

The post Stop Expecting Developers to Write Secure Code appeared first on Cybersecurity Insiders.


November 30, 2023 at 12:54AM

0 comments:

Post a Comment