We Asked Software Developers if They Had Ever Heard of Cybersecurity: They Said ‘No‘
Our survey of software developers confirmed what many in the security industry have long suspected.
78% of software engineers, developers, programmers — the professionals who build the applications and websites we regularly use and trust — reported that they had received ‘no training’ when it came to the topic of information security. This sounds about right, given that most computer science degree programs and coding bootcamps rarely include these topics in their curriculum.
While data security is rarely explicitly part of the job for most software professionals, it’s a critical aspect of software development. Professionals who write code need to understand what a piece of software does, how it operates from a technical and user perspective, and perhaps most importantly: how it can be broken, modified, or manipulated to do something other than it’s intended purpose. And while it may be tempting to build products and worry about security later — thousands of data breaches and cyber incidents over the years have revealed that far too often ‘later’ tends to become ‘never’.
Security vulnerabilities that affect software and applications include, but are not limited to: Arbitrary File Upload. Authentication Bypass. Clickjacking. Cross-Site Request Forgery. Cross-Site Scripting. Misconfiguration. Inadequate Error Handling. Injection Attacks. Insecure Direct Object References. Insecure Credential Handling. These vulnerabilities — or weaknesses — can be exploited by threat actors, cyber criminals, and curious minds, to access confidential information. Some of these are malicious in nature, others can be the result of negligence, yet both can be addressed by providing better security training for developers.
How can software engineers and developers better embrace information security?
Information security at any level in an organization is largely a matter of culture: Have clear security best practices been established, and are users encouraged to follow them? Is there pressure to build and ship products that conflicts with conscious, secure design? In addition to this thorough examination of security culture, there are a number of resources that exist for coders to level up their information security hygiene:
NIST SP 800-218: Secure Software Development Framework (SSDF)
This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.
Secure Software Development Life Cycle (SSDLC)
The SSDLC build upon the Software Development Life Cycle (SDLC), adding various elements to the existing phases. These include: Risk Assessment, Threat Modeling & Design Review, Static Analysis, Security Testing and Code Review, Security Assessment and Secure Configuration.
OWASP’s Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
SAFECode is a global nonprofit organization that brings business leaders and technical experts together to exchange insights and ideas on creating, improving and promoting scalable and effective software security programs.
Additionally, in recent years, several training platforms have emerged to help developers cultivate a secure coding mindset. Some of these platforms include:
Security journey provides a secure coding training platform where developers learn by actually exploiting and then fixing vulnerabilities in a web-based sandbox.
Powered by ThriveDX, our scalable technology reinvents and reimages enterprise application security education for the modern developer—all while supporting our pursuit to close the skills shortage in cybersecurity.
Secure Code Warrior helps developers write more secure code. We are focused on bringing an innovative approach to developer security training.
Review concrete code samples illustrating the security flaws, and how to avoid them, in the major programming languages.
SecureFlag provides a powerful and user-friendly way for enterprises to strengthen their secure coding practices. Developers, DevOps and QA engineers learn secure coding at their own pace with updated examples and hands-on practice that improves their competency and prepares the organization to confidently achieve its business goals.
As an early innovator in the application security testing market, Checkmarx has been relentless in our mission to continuously innovate and lead the industry with solutions that dramatically improve software security while meeting the evolving needs of the modern software development landscape. The Checkmarx Software Security Platform fits right in to an automated DevOps environment and addresses all stages of the SDLC, enabling our customers to accelerate delivery of secure software
Time to get certified?
Unlike other areas of tech, the professional coding world has never paid much attention to certifications (though several exist), but it might be time to create a more hands-on credential that assesses developers on secure coding best practices and identifying vulnerabilities. The closest thing to this at present is the ISC(2)’s Certified Secure Software Lifecycle Professional (CSSLP).
Security practitioners regular participate in conversations about ‘shifting security left‘, or ’building security in’. Conceptually, these represent an idealistic philosophy and best practices driven approach to information security. What’s rarely discussed is how to equip the professionals at the core of these products with the tools, technologies, and skills to code securely. Until that changes, it seems we will forever be ‘bolting security on’ as an afterthought.
Editor’s Note: Curious about our survey methodology? We sent our survey to over 1748 software engineering professionals on LinkedIn who had active profiles (for our purposes, we defined active the same way LinkedIn does: Posts published, liked, shared, or commented on within the last 90 days.) We heard back from 836 of these professionals who worked full time at medium to large companies. Respondents were given 72 hours to complete the survey. Responses received outside of this window were not included here.
