The past 18 months have been surreal. Change and uncertainty left no global stone unturned. Work from home mandates forced the long-overdue shift to hybrid, virtual staffing models that those of us deep into the software industry had already begun to embrace (crowdsourcing, gig economy-based teams, etc.). Companies struggled to make the shift from in-person technology training to online eLearning platforms.
While the IT industry is still reeling from “the pandemic effect,” one reality stayed the same for software programmers. The rush to meet enterprise and mobile application development (AppDev) needs and deadlines did not slow, which kept alive the lingering debate about whether the functionality of code (does the code do what it has been asked to do) or the performance of code (readability, modularity, elegance, etc.) rank priority one when talking about secure coding.
A foundational aspect of AppDev, secure coding intends to ensure that code is as clean as possible. Error-free code protects software from defects, bugs and intelligence flaws that result in security vulnerabilities. Even the smallest programming mistake can cause a large-scale security breakdown that negatively affects success, ultimately leading to compromised intellectual property and data.
Programmers have always shouldered most of that burden and COVID didn’t make that any different. They worked under the same high, pre-pandemic pressures to code cleanly and securely, while receiving less guidance, training, team support and time.
Secure coding skills require proper training
A commitment to secure coding principles and the goal to eliminate (or at the very least reduce) software vulnerabilities must be the intent of every level across an IT organization. However, if those programming on the front lines don’t have the proper skills and necessary training to create code that’s as close to “perfection” as possible, the initiative is sure to fail.
Whether or not COVID is a viable excuse, companies can’t assume developers “just have” the necessary know-how to code securely. Programmers out of college are hardly taught the value and practice of secure coding and how it remediates vulnerabilities. Continuous opportunities for DevTeam skill-building and advanced training as part of a company’s secure code objectives, as well as tying defined application security (AppSec) priorities to performance metrics, make a significant difference in motivation, performance and security integration. In addition, programmers gain an equal knowledge base that endorses an environment where they, too, can spend more time writing and deploying good code, rather than fixing errors.
One training strategy proving successful is the integration of gamification into upskilling initiatives. Generally speaking, programmers tend to like competition, which goes deeper than just the desire to earn top spot on a leaderboard. For example, Secure Code Warrior offers ways to improve secure coding skills and outcomes through tournaments, courses, assessments and more. It teaches and motivates developers to code securely, but also drives training adoption throughout the development organization. The end results are positive increases in developer speed, accuracy and productivity.
While companies can’t expect programmers to be security “experts,” they can certainly require them to become security “champions” as the first line of organizational defense.
Virtual training considerations for secure code initiatives
2020 ushered in a modern era of virtual, online eLearning platforms that are cost-effective and easy to use. For example, OrasiLabs is a cloud-native, elastic environment with reusable templates on a scalable platform that accommodates organizations of every size. OrasiLabs enables companies to incorporate real-world scenarios and other strategies into training programs that are proven to increase knowledge retention. Companies have finally seen the value of being able to learn with anyone, from anywhere, at any time.
When considering the “learners” involved with secure code training (developers, designers, data scientists, testers, etc.), they typically know, very quickly, whether or not what they’re experiencing is delivering value. Therefore, it’s important for CTOs, CIOs, CHROs and VPs of Engineering to run training and development courses on the most modern, efficient, easy to use eLearning platforms available; and not try to cobble together a quick-fix from general day to day collaboration tools. For example, Zoom, Google Meet, WebEx, Slack, etc. are not sufficient ways to execute quality, virtual eLearning programs that drive secure coding success.
For 2021 and beyond, an increased investment in secure code training and development will reinforce the importance for programmers to develop the cleanest code possible. Empowering them with the know-how is critical for AppSec initiatives and helps thwart security vulnerabilities that lead to cyberattacks and compromised data assets.