Addressing insecure code at its root

613 Views

Who is Secure Code Warrior and what do you do?

Secure Code Warrior was founded out of the need to address insecure code at its root. Rather than focusing on finding and remediating flaws in an application’s code, our ethos is that the focus should lie on preventing the vulnerabilities from being created in the first place. And this starts with security-minded developers.

While developers don’t need to become security experts, when they are provided with the right knowledge and tools, at the right time, they can be empowered to become the first line of defence for their organisation. Through its hyper-relevant gamified platform, contextual learning framework, and developer integration tools, Secure Code Warrior has pioneered an innovative approach to improving secure coding skills and outcomes that is simple, scalable and positive. This in turn is creating an environment in which everyone can enjoy spending more time building, and less time fixing.

 

What are the challenges currently facing the cybersecurity industry?

COVID-19 has led to an explosion of cybercrime. VMWare Carbon Black reported almost every UK business (99 percent) surveyed has suffered at least one security breach since October 2019.

At the heart of the world’s cybersecurity issues sits vulnerable code.

According to a 2019 report from Akamai, SQL Injections (a code injection technique) represented nearly two-thirds of all web application attacks it observed over a 17-month period ending March 2019. This year, the SQL injection attack celebrates its 22nd anniversary – despite the fact a fix was found within days of the first incident.

So if we know the solution, why are SQL injections, and other prevalent code attacks, still a threat?

One of the main reasons is that security and development are misaligned, with security solutions highlighting the vulnerable code, but offering solutions that don’t fit within the developer’s IT stack. As a result of not being equipped with the knowledge and practical solutions required to remediate vulnerable code, developers are likely to repeat similar mistakes in the future, and the ongoing creation of compromised code continues indefinitely.

Billions of lines of code, constant large-scale data breaches, and more risk of penalty than ever before have created a demand chasm for security specialists that, realistically, is unlikely to be closed.

 

What can organisations do to overcome these challenges?

The answer really is quite simple. Organisations need to place greater emphasis on the “people” side of security, rather than relying on tools as the main remediation plan.

“But” I hear you ask. “You just told me there is a skills shortage, where do I find these ‘people’?” 

The answer lies in your development team and upskilling those that create the code to become that first line of defence. To start with, we need to rethink how we create software and recognise that DevOps doesn’t go far enough. Security should be at the forefront of coding practices, and developers are key to making this happen. This is where DevSecOps comes in.

DevSecOps should be viewed as an ongoing methodology, not a Band-Aid solution. It’s a culture as much as a set of techniques and adopting it requires skilled people, change management and an ongoing commitment from all stakeholders. Providing employees with the right tools and training is a key step in this shift towards secure development, but traditional types of security education for developers are unlikely to change their mindset and provide desired outcomes.

 

What is contextual learning and why is it important for developers when it comes to coding securely?

Training in secure coding is essential but will only be effective if it’s relevant and demonstrates how security can fit seamlessly into a developer’s day job. Effective workplace training is not going to be delivered in a classroom. Instead, organisations need to be engaging developers through hyper-relevant learningthat is integrated with day-to-day tasks. If the developer is actively led through how coding and security can be combined, without taking them away from their day job, they are more likely to continue to use best practise in the future. For those looking to start on a smaller scale, there are freetraining apps that teach essential secure coding skills across different coding languages and can be done any time, any place.

Day-to-day learning can be combined with what we call ‘Missions’ and ‘Tournaments’ which involve interactive coding simulations of real-word scenarios. This puts developers in situations that they’re likely to come across in their own work, but in a more competitive format. Not only do these training methods get developers more engaged in the idea of secure code, but it will allow an organisation to benchmark each team member and ensure everyone’s learning is tailored to their skill set.

 

How is Secure Code Warrior working with the wider security community to solve these challenges?

Engaging the developer community in secure coding is our foremost priority, and this means we need to be an active participant in the wider community ourselves.

We work closely with The Open Web Application Security Project (OWASP), whose mission it is to improve software security through open source initiatives and community education. It’s recognised across the industry that 85% of exploited vulnerabilities are attributed to just 10 known vulnerabilities – the OWASP Top 10. Secure Code Warrior’s self-paced learning content covers over 50 different vulnerability types including the OWASP Top 10.

In addition, we recently partnered with GitHub, the platform that sits at the heart of a developer’s working life, by building a GitHub Action that brings contextual learning to GitHub code scanning. This means developers can use a third-party action, like the Snyk Container Action, to find vulnerabilities, and then augment the output with hyper-relevant learning. By delivering developer-centric contextual learning when needed most, we’re making it easier for developers to release quality code faster.

Worth including a summarising line here? Wonder if we can sneak in a cheeky ‘If you’re keen to learn more about how Secure Code Warrior is helping developers and businesses win the battle against vulnerable code, please see here (hyperlink to website)’. I guess the worst that can happen is that they remove it.