There is more software being built than ever before in Australia and the continuous exposure to cyber threats means there is an ever-increasing necessity to teach developers to code securely. The industry is wastefully focused on finding and fixing vulnerabilities rather than preventing them. The critical human factor in the security equation is both part of the problem and the solution.
Security is not a developer’s top priority. They leave university with very little practical knowledge on how to deliver secure code, they work in jobs where security training is rarely a priority and very often, their first experience with security is an audit or testing bug report that suddenly halts a future release, becoming an instant top-priority disruption of their creative mind. They find themselves at loggerheads with those responsible for security reporting, so security becomes synonymous with criticism.
The 2018 Verizon Data Breach Investigations Report found that of more than 53,000 incidents and 2,200-odd breaches, most of the hacks still happened through breaches of web applications. The high frequency of developers creating code that contains security flaws, which lead to web application vulnerabilities, results in these incidents and breaches.
Web application attacks typically consist of any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as the thwarting of authentication mechanisms. The Report deals with both external and internal factors, stating that human errors were at the heart of almost one in five (17%) of breaches. Breaches occurred when employees failed to shred confidential information, when they sent an email to the wrong person and when web servers were misconfigured. The Report points out that while none of these were deliberately ill-intentioned, they could all still prove costly.
Application testing over the past five years has not shown much improvement in the number of vulnerabilities found and the same old flaws keep coming up time and time again. A 2017 Veracode report based on 400,000 application scans, shows applications passed OWASP Top 10 policy only 30% of the time. Astonishingly, SQL injections appeared in almost one in three newly scanned applications. I say astonishing because SQL injections have been around since 1999. The fact that the same flaws, including SQL injections, are consistently found, is evidence that the human factor problem among developers is not being adequately addressed.
It is at this point that I need to stand up and shout that I am on the developers' side of this argument. How are developers supposed to write secure code if nobody ever teaches them about why it’s important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
For developers to write secure code, they need regular access to hands-on learning that actively engages them to build their secure coding skills. They need to learn about recently identified vulnerabilities, in real code, and specifically in their own languages/frameworks. This learning experience should help them understand how to locate, identify and fix known vulnerabilities. Developers also need a quality toolset in their process that makes security easy, does not slow them down and guides them in real time about good and bad coding patterns.
This is how we can make a tangible and positive difference to the number of application breaches.
The tech sector is booming in Australia. The ACS Digital Pulse report estimates that by 2022 the sector will have created an additional 81,000 jobs. The skills in high demand include developers and security experts. But with Australia only producing 3,000 to 4,000 graduates a year and skilled migration rules tighter than ever, it’s crucial that companies look at smarter ways to train, develop software and reduce security risk through inadequate code.
Effective security upskilling for developers could make a real difference to the outcomes reported by Verizon in future reports. It would be nice to see the 2019 report reflect developer security training as a key risk reduction strategy that companies can take.
By Pieter Danhieux, Co-Founder and CEO, Secure Code Warrior