Inspiring secure coding: Strategies to encourage developers’ continuous improvement
In software development, the importance of secure coding practices cannot be overstated. Fostering a security culture within development teams has become crucial to ensure the integrity and protection of digital systems.
To delve deeper into this topic, we had the opportunity to interview Pieter Danhieux, CEO at Secure Code Warrior. He sheds light on the significance of positive security culture, the reasons behind recurrent vulnerabilities, strategies for incorporating secure coding training without hampering development processes, the effectiveness of gamified learning experiences, the need for the regular refreshment of secure development training, and innovative methods to encourage developers to improve their secure coding techniques.
How important is fostering a security culture within development teams for secure coding practices?
The culture surrounding how security is perceived and actioned within the development cohort underpins everything, and likely reflects how successful they will be in achieving favorable security outcomes.
Traditionally, developers have had negative experiences with their AppSec counterparts. If we take in the view from where the developer is sitting, they only tend to hear from the security team when something has gone wrong: either their code is broken from a security perspective, or they’re saddled with fixing another developer’s mistake. Both are equally disruptive to their workflows, and in the case of their own work, it’s not unlike calling their baby ugly. They have worked tirelessly to ship beautiful, functional code that achieves feature delivery goals; security is someone else’s role, and not often a measure of their code quality in terms of organizational KPIs.
Resentment can be strong between both teams, but fostering a positive security culture where developers understand the role they can play in driving down code-level vulnerabilities, as well as creating an environment where they can learn secure coding in a way that is comfortable for them, is paramount in repairing that relationship.
The AppSec side should also understand they only add business value when security issues are actually fixed, not solely identified and reported upon. They need to go further than generic statements and actually provide language-specific coding patterns that can prevent or mitigate issues. When both teams are aligned with common security goals, and, ideally, understand that security should be synonymous with code quality, there is an immense potential for significant risk reduction.
It’s been observed that companies without secure development training often repeatedly payout bug bounties for the same vulnerability type. Can you share some of the reasons why these patterns exist?
This is unsurprising, and comes back to the fact that we have seen the same recurrent vulnerabilities for decades (think cross-site scripting and SQL injection) because developers are using the same poor coding patterns time and time again. Regardless if you’re utilizing the latest AI scanning technology, bug bounties, or time and effort spent on classic static code analysis, you will see the same problems coming back if the root cause is not addressed.
Whether it’s cutting corners, bad habits, or an accepted learned behavior that perpetuates this risk, the solution is education and positive reinforcement of the right coding patterns so they can course-correct and break the cycle. As an industry, to date, we have let developers down by not providing viable secure coding education in the workforce or at the tertiary level; they need right-fit tools and learning pathways that allow them to build the skills needed to correct those risky behaviors and code with security front of mind.
How can organizations incorporate secure coding training without significantly slowing their development process?
Achieving security at speed is not impossible, but it requires upskilling developers in a way that is least disruptive to their workflow while still providing a meaningful impact. “Tick-the-box” annual compliance training simply isn’t going to cut it; this is far too infrequent and not tailored to the languages and frameworks they use, nor the vulnerabilities they are most likely to come across in the codebases they work on.
Agile learning solutions that flex with the ever-changing needs of the business and threat landscape, as well as allow developers room to grow and build upon existing knowledge tend to be far more successful and relevant. This way of learning tends to break down modules into “microbursts” that are easier to retain and execute contextually when similar challenges present themselves in the real world.
Why should organizations incorporate tournaments in their training? Can you describe the effectiveness of a gamified learning experience in the context of secure coding?
I am a big advocate of putting a little fun into everything, and tournaments can be a powerful tool to help grow a positive security culture in an organization. They are a chance for developers to engage with security learning outcomes at a competitive level, against their peers, and get a clear view of where they measure up.
Many of our customers take this as an opportunity for team building and creating awareness, running themed tournaments with amazing prizes on offer for those who reach the top of the leaderboard. It is also a chance for management to identify security enthusiasts in the development cohort, which can result in appointing formidable security champions to keep the passion alive long after the tournament has concluded.
How important is the refreshment of secure development training? How often should these sessions be held?
It is completely pointless to implement any upskilling program that is only rolled out once a year. Throwing a few videos at developers to run at double speed while they focus on other tasks will not do a single thing to reduce vulnerabilities in the organization, or correct poor habits and coding patterns actively in use.
The OWASP Top 10 hasn’t varied that much in 20 years, but the technologies we use have drastically changed. We now write code for different purposes: full-stack, embedded, mobile, APIs… and security vulnerabilities exist in most of those technologies in different forms, requiring diverse coding patterns and approaches. It’s much more important to stay close to new versions of languages or stacks, rather than trying to keep up with the vulnerabilities.
Ideally, training should be bite-sized and digestible whenever it is needed (e.g. embedded into issue tracking systems), with core sessions run frequently to tackle the issues most relevant to the organization. It should be hands-on, replicating the code and scenarios they will see in their work day. They should be given adequate time to train, with easy access to education as part of their workflow with minimal context-switching. It really is that important.
Given the importance of secure coding, what innovative methods or strategies can be employed to continually encourage developers to improve their secure coding techniques?
In this era of new (and potentially insecure) AI development tools coming out every other day, now more than ever, we need to help developers understand the role they play in reducing code-level cyber risk. They need to be educated to care more about secure coding outcomes, and be equipped with the skills to identify and avoid common vulnerabilities altogether in their own work.
Organizations with a high level of security maturity have strong, developer-driven security programs that focus on their learning journey, career pathways, and knowledge sharing. They often make secure coding part of development KPIs, but by the same token, incentivize continuous education and passing assessments.
Security-aware developers are sought after, highly respected by their peers, and enjoy status that helps them stand out among more average developers. Leveraging this and making secure coding pain-free, incentivized, and even tied to more interesting projects can be a potent motivator.