In the last post (Developer Security Awareness: Why Do We Care?), we discussed what we should take away from publicized security events. Let's discuss why we are failing, and what we can do to make it better.
Why are we failing?
Software has become a requirement across all industries in today's world. Every market is included, from finance to travel, industrial, healthcare, retail, entertainment, and many more. Everyone is realizing the benefit of automating tasks and accessing information using laptops and mobile devices from home, the office, or virtually anywhere.
The teams working on these applications are given rigid deadlines and are working long hours to meet the demands of their stakeholders. During these times, security vulnerabilities are accidentally introduced as changes are rushed through the pipeline to provide that next groundbreaking feature to the customer.
Many years as an application security consultant have allowed me to see firsthand how often these vulnerabilities exist in high profile applications. The same high-risk vulnerabilities continue to show up year after year and application after application. The types of vulnerabilities that open the door for attackers to breach our organizations are accessible to anyone that registers for an account in a web site. In many cases, the vulnerabilities are buried in application code that hasn't been modified for years, and often only require a few minutes to fix.
Unfortunately, prioritizing enhancements and feature releases over security continues to allow these vulnerabilities to be deployed and lie dormant until it is too late. As long as organizations continue to accept bolting on security features post-deployment, project and development teams will continue to view security as a low priority.
How can we improve?
The first step in changing the security culture of an organization starts at the highest level of management. To quote Bill Gates, the co-founder and former CEO of Microsoft:
"When we face a choice between adding features and resolving security issues, we need to choose security."
This quote provides a perfect example of an organization dedicated to changing its security culture to be the top priority.
The second step requires the organization to provide all employees with the resources they need to create secure software. To build their security knowledge, project and development teams should be required to take security awareness training that illustrates the hostile environment their applications will be exposed to after deployment to production. Upon completion, everyone involved will understand why security is important and remain engaged as security discussions occur.
In the next section, we will explore the types of developer security awareness training that should be provided.