Part 3 of 5 - The Need for More Educated Development Teams
To view the previous post in this five-part series, click here.
Despite the rapid change of technology and the rise of new platforms such as cloud and mobile, the majority of organizations do not have a formal application security training program in place. Knowledge and skills are fundamental to software assurance - without a thorough understanding and grounding in the principles, vernacular, tools, and practices for software security, your development team’s effectiveness will be limited and you won’t see the kinds of results you are expecting.
- More than 80% of technical staff report their organizations are not updating training and education programs for their development teams
- Between 66% and 71% of executives and directors think that they are updating internal training programs – and this is the group that approves budget spend
There are two primary reasons for insecure code: lack of developer training and failure to prioritize security. When developers lack know-how, they may know that security is a requirement, but they don’t know how to write secure code. They may also lack a process that emphasizes the importance of secure code and catches vulnerabilities that make their way into the system. When a team fails to prioritize security, the development team may not be given the time and resources necessary to write secure code.
Security requires a focused investment into developer education, secure coding processes and scheduled time to create a secure architecture and use secure coding standards. Keep in mind that there are different training needs for each role on your development team and for each technology in use. For example, mature organizations are aware of the effectiveness of the implementation of standards and use them regularly to:
- Conduct audits and assessments to understand the threats against their organization
- Improve security, architecture and coding standards
Skill development follows interests and motivation. Tools and services are wanted, but they are only used if felt of value, which requires training on how to focus on hot spots, interpret the results, and most important, remediate the vulnerabilities found. Also, development teams will be motivated if they understand how training can help them be more effective, efficient, and get their job done better; it is not a tax, but an enabler.