TOP REASONS TO TURN YOUR TEAM OF DEVELOPERS INTO SECURITY CHAMPIONS
Current trends in the IT world consistently reveal a pattern of increasingly-sophisticated cyber-attacks on businesses, end-users, and software applications. The BSIMM 2016 survey indicates there is a significant shortage of software security engineers (AppSec engineers); 95 firms across six industries indicated that for every 245 software engineers, only one individual was a security expert. This is a startling and troublesome statistic. If this survey truly identifies the overall state of software engineers, that equates to less than one percent (0.41 percent) of software engineers are capable performing security tasks for the organization.
At the same time, according to the 2015 Trustwave Global Security Report, the average number of vulnerabilities over various data breach investigations was over three times higher than the average number of vulnerabilities discovered two years prior . The increase of data breaches necessitates an increase in capable software security engineers. These engineers and developers are equipped to prevent cyber-attacks against web, mobile, web service, and other application layer functionality.
Today, we’re experiencing a shortage of qualified security engineers. High demand for these positions comes with increased negotiating power when hiring an experienced security engineer or developer. Rather than searching for this extremely limited talent on the open job market, consider the software engineers already working for your organization. What if your team was equipped with the know-how to ensure code is secure and functional from the very first phase of software development? This can mitigate future threats, decrease risks, stop data breaches from occurring, and prevent costly lawsuits often resulting from a breach.
Training software engineers to become security champions is a goal all development firms should aspire to fulfill. There are several steps and methods to turn traditional engineers into security champions. We can start by implementing the use of Secure Software Development Life Cycle methodologies. Other engaging ways to encourage your team include:
- Utilizing secure coding best practices, and using engineering models such as DevOps (i.e. integrating security in all stages of building and deployment).
- Presenting live demos or attending webinars.
- Use a mentor program to engage your team in development and security assessments.
- Researching the security features of different
platforms and frameworks.
- Attending security conferences, meetup groups, and online training.
SOFTWARE ENGINEER TURNED SECURITY CHAMPION
A SECURITY CHAMPION KEEPS CODE SECURITY AT FRONT OF MIND
The main difference between a security champion and a traditional software engineer is how they approach the design and implementation phase. A traditional engineer will typically select framework features, and write code with functionality and features in the forefront. Contrasting this mindset, a security champion keeps security in mind during all phases of the development life cycle. This is commonly referred to as “shifting security left”.
A security champion recognizes opportunities to design security into an application from the beginning. During requirements and design, a security champion works with the project team to ensure they understand which secure framework features, access control, validation, and encoding libraries are required. Security champions may also be responsible for writing high-risk sections of code (e.g. password management or cryptography libraries) and performing security-specific peer reviews during the implementation phase.
A SECURITY CHAMPION RECOGNIZES ISSUES WHEN THEY SEE THEM
Security champions will recognize issues that a traditional software engineer may not identify. Common application vulnerabilities such as command injection, cross-site scripting, and weak access control logic are quickly identified during peer reviews. More importantly, these security bugs are identified early in the life cycle before reaching a test environment. Security champions also provide junior engineers with on-the-job training and remediation advice, reducing the need for companies to hire expensive external consultants for long periods of time.
WHAT RESOURCES WILL YOU NEED TO UPSKILL A DEVELOPER?
Equipping a software engineer with the necessary skills to become a security champion requires some simple but powerful resources, namely:
Security Training – Training in secure coding, cryptography, web, mobile, cloud and SDLC security is a necessity. Obtaining industry-standard certification is also a plus. Security training can be divided into three levels – Aware, Skilled, and Champion.
- Aware – The first level requires the trainee to learn about the OWASP Top 10, secure coding methodologies, and basic threat awareness.
- Skilled – The second level requires the trainee to learn about the Secure Software Development Life Cycle, relevant development framework security features, and modern security in web, mobile, and cloud platforms.
- Champion – The third level requires the trainee to learn how to run scanning tools, verify scan results, perform ethical hacking/penetration testing on applications, and perform security-focused code reviews.
Willingness to Learn – the software engineer must be willing to learn new technologies, adapt to the rapid changing technology stacks, and enjoy testing and defending against new vulnerabilities.
Willingness to Teach – Passing the knowledge along to colleagues and team members is critical to raising security awareness throughout the development organization. Presenting topics during lunch-and-learns is beneficial to the entire project team.
While above presents a basic foundation of the training method for leveling up a traditional software engineer, below details a more detailed five-step approach:
- After teaching basic security training to the engineer, assign a mentor to the trainee and begin teaching application development with security methodologies. The trainee should demo and test a new vulnerability on a weekly basis.
- The trainee should learn security testing methods, how to use security tools, write sharable security modules, and research security aspects of different frameworks and platforms.
- The engineer should learn about secure coding in specific languages, web application security, and mobile app security. In addition to this, the trainee should learn about cloud and modern framework security.
- The software engineer should learn how to incorporate all of his/her security training into the software development life cycle. Building security requirements, abuse cases, and abuser stories into unit / functional test cases will help enforce security throughout the development pipeline.
- The engineer should be trained in various types of application security analysis and scanning:
- Static analysis
- Secure code review
- Dynamic analysis of run-time applications
- Scanning third-party libraries/modules for known vulnerabilities
WHAT IS THE TIMELINE FOR SECURITY SKILL IMPROVEMENT?
Projecting a training timeline is difficult because everyone learns at different speeds. Corporate executives should start by monitoring how long software engineers are trained before they are ready to contribute to security projects. Using these metrics to set realistic expectations will help ensure the success of the program. Security champions can also do weekly job rotations between security and software development to help measure their competency and ensure success.
HOW MUCH IMPROVEMENT IS ENOUGH FOR AN IN-HOUSE SOFTWARE ENGINEER?
Let’s face it, if an application is created without security in mind, any improvement is better than nothing. Here are some signs that indicate your software engineers are ready to help build security into their daily work:
- Writing secure code, identifying security issues during their security-focused peer reviews, and mentoring security engineers in training.
- Ensuring code does not contain issues identified in the OWASP Top 10 is a place to start, but benchmarking applications against a standard such as the OWASP Application Security Verification Standards (ASVS) will provide more thorough coverage.
- No high-risk findings are found when scanning code with static and dynamic tools.
- Results from in-depth security reviews by the security team or external security consultants no longer turn up high risk findings.
THE END GOAL IS NOT TO BE A FULL TIME SECURITY TESTER
It is important to realize the goal is not to turn security champions into full time security testers. Establishing security best practices amongst development firms requires a complete revamping of software development life cycle methodologies, and a change in how application development is approached. Investment in the right scanning tool can also help guide developers and engineers as they navigate through different security risks. Security champions must continue to work as part of the project team and be an advocate for secure product development going forward. Implementing security features into the source code, building unit and function security tests, and performing continuous security reviews acts as a powerful pre-emptive action to mitigate security issues before they start.
BENEFITS OF TURNING YOUR TEAM OF SOFTWARE ENGINEERS TO BEING MORE SECURITY FOCUSED
A working software engineer that is a security champion is a critical asset for any software development team. Building applications with security top-of-mind creates applications with a secure framework, secure architectural design, and decreased attack surfaces, all of which help to reduce the risk of running high-risk applications in production.
Having security champions as software engineers enables security coverage throughout the development life cycle. Vulnerabilities that are considered to be “low-hanging fruit” are easily caught and mitigated before their release to production, which prevents hackers from finding issues that are trivial to exploits. This also means that external penetration testers can focus on more advanced threats and business logic vulnerabilities, providing more value to the organization.
“2015 Trustwave Global Security Report”
Retrieved from: https://www2.trustwave.com/2015-Global-Security-Report-Landing-Page_2015-Global-Security-Report-Success-Page.html?aliId=79544114