Laying a foundation for developer security training is not an easy task. Those of us that have worked in the information security world long enough have seen the roadblocks:
- Development teams do not have enough time
- The project does not provide enough funding
- The organization does not have the expertise to create a training program
- It's more important to release new features.
Anyone reading this post has likely heard reasons similar to this for not taking action. In this multi-part blog post, we will show you how to get started and what developer security awareness training could look like inside your organization.
What have we learned from the past?
The headlines from the past year alone should be more than enough ammo to convince anyone in your organization that you NEED an application security program.
- The Heartbleed OpenSSL bug affected web traffic for millions of applications, devices, and operating systems. Many security experts classified the zero-day vulnerability as the most catastrophic software bug known to date. Within a few months, Heartbleed was used to attack a private healthcare network and extract millions of patient records.
- Travel industry web sites were targeted, resulting in major casino and online travel agencies being breached. Attackers were able to steal employee information along with millions of credit card numbers, email addresses, and password hashes.
- Social media also took a massive hit as hundreds of celebrity accounts were compromised and hundreds of thousands of "deleted" pictures were posted online.
- Point of sale systems continued to be successfully breached, resulting in millions of consumer credit card numbers being stolen from several different companies.
- To close out the year, we saw malware take over large corporate networks, extract gigabytes of information, and hold entire companies ransom.
The above examples are only a small sample of the information security specific incidents that seemed to make the headlines every week last year. While the attacks, motivations, and methods vary, I think the one thing we can all agree on is this:
Security is everyone's job.
The number of security incidents will continue to rise until we properly train our employees, raise awareness, and understand what is at risk. In the next post, we will look at why we are failing as an industry, and how we can improve.