Cybersecurity is more challenging than ever, especially for organizations that write their own programs, apps, or code. The latest Verizon Data Breach Investigations Report is somewhat shocking, with the findings for 2023 pointing to an increase of more than 200 percent in most advanced attacks. The IBM Cost of a Data Breach Report this year also pegged the average cleanup costs per incident at $4.45 million.
Threats have been increasing in both intensity and sophistication for many years now. Recall a time in the past when attacks were this potent is difficult, however, with incidents like the MOVEit breach affecting tens of millions of individuals in one attack alone. Thankfully, organizations that write their own code need not rely on the goodwill or the skill of others when it comes to their software. Carefully training their developer communities to consistently write secure code can pay huge dividends by eliminating vulnerabilities and denying attackers any way to exploit code. Even if an attacker can bypass whatever external cybersecurity is protecting a network, if the underlying code is secure, getting access to it won’t do an attacker much good.
In fact, according to our own internal data analysis of 75,000 developers, tasking them to become a first line of defense can reduce the number of vulnerabilities in completed code by up to 53 percent or more. So, let’s take a look at the importance of ensuring that they’re given good cybersecurity training using agile learning methods.
Agile Learning in Action
The good news is that most developers want to learn about secure coding practices. This desire may be due to wanting to reduce the amount of reworking they need to do on vulnerabilities found by AppSec teams, to further their own careers, or just so they can take pride in their work. Many developers are also willing to volunteer to become security coaches or champions to lead the rest of their team in that effort.
But not all training is equal. Writing code is a complex skill in an industry that is constantly innovating and changing. “Check-the-box”-style learning activities will do very little to help developers improve their secure coding skills and even less to enhance an organization’s ability to reduce vulnerabilities in their code. Instead, the best training methods should use the same agile methods that have proven to be so effective when writing code and which developers are already familiar with using.
Let’s explore this concept more fully.
3 Pillars of Agile Learning for Secure Coding
- Just-in-time microbursts of training: Learning initiatives should be bite-sized, contextual, and offered on an ongoing basis, allowing developers to access the right training at the right time, in line with the security challenges they face as they code.
- Dynamic and hyper-relevant lessons: Static training ages quickly and is rarely tailored to the educational needs and workflow of developers. Agile learning tends to be much more palatable, especially when delivered in the environments, languages and frameworks they see in their day jobs. It allows developers to apply knowledge faster, with less disruption, and see the value of the exercise as a whole.
- Progressive layering: Once the development cohort has mastered the foundations of secure coding, their upskilling journey can continue into more advanced concepts, which can lead to greater trust and access to more desirable projects once their secure coding prowess has been assessed and verified.
According to Gartner, by 2025, 70 percent of large enterprises will adopt agile learning approaches. Amazing potential exists in this shift to microlearning, continuous improvement, and building key knowledge that can be capitalized upon for safer software and more positive security outcomes.
In addition to tapping into agile methods to supercharge training, programs should also follow smart practices like defining desired success criteria, identifying and promoting security champions, incentivizing developers who excel, and measuring and quantifying successes along the way, such as reductions in code vulnerabilities.
Build in Time for Learning
There is one more critical component that organizations need to invest in to ensure a successful training program, however. This is an area that businesses often overlook: Success requires time.
Even if developers want to learn about secure code, and even if you put a robust training program in place that relies on agile methods, you still need to ensure that it will not become an added burden placed on your already overworked development teams. Learning secure code is not a simple undertaking. It requires time, study, and a safe place to make mistakes. Ideally, you should set time aside during the work week to allow developers to train.
Lots of top organizations, many of which write their own code, provide time for security training. For example, Slack, the professional chat space owned by Salesforce, recently announced that its developers would be given a full week off from their regular duties to devote to security training. No other work will be required of the teams during that time. To add incentive, developers who complete their security training and demonstrate the ability to write secure code will be awarded “Ranger Status” with the company. This honorific term designates them as committed defenders against vulnerabilities and insecure code, and likely places them as a higher standard of developer among their peers.
Though this shift may cause some initial tension, there is much to be said for going slower before attempting fast code deployment. Feature delivery at lightning speed should only be the realm of those trained to spot potential security issues as they move rapidly.
Agile Plus Time Equals Success
Whether focusing on a dedicated period of time devoted to education like Slack or carving out some time every week for ongoing security training, providing the time for developers to study and learn about this important area is critical to a program’s success. Yes, that may mean some deadlines will have to shift back a bit to compensate. Still, ultimately, reducing code vulnerabilities will lead to less reworking, streamlined development, and, most importantly, a much lower chance that attackers will be able to exploit code once it reaches the production environment.
Investing in a proven, agile-focused security training program for developers in the face of an overwhelmingly hostile threat landscape is a necessity these days. Just don’t forget to provide the time for your developers to learn those critical lessons.