Security Awareness Blog

A Foundation for Developer Security Awareness Training: What's the Problem?

SDLC-End

Guest Editor: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this series of posts Eric will take a look at laying a foundation for Developer Security Awareness Training.

In our last post , we discussed what we should take away from publicized security events. Let's discuss why we are failing, and what we can do to make it better.

Why are we failing?

Software has become a requirement across all industries in today's world. Every market is included, from finance to travel, industrial, healthcare, retail, entertainment, and many more. Everyone is realizing the benefit of automating tasks and accessing information using laptops and mobile devices from home, the office, or virtually anywhere. The teams working on these applications are given rigid deadlines and are working long hours to meet the demands of their stakeholders. During these times, security vulnerabilities are accidentally introduced as changes are rushed through the pipeline to provide that next groundbreaking feature to the customer.

Many years as an application security consultant have allowed me to see firsthand how often these vulnerabilities exist in high profile applications. The same high-risk vulnerabilities continue to show up year after year and application after application. The types of vulnerabilities that open the door for attackers to breach our organizations are accessible to anyone that registers for an account in a web site. In many cases, the vulnerabilities are buried in application code that hasn't been modified for years, and often only require a few minutes to fix. Unfortunately, prioritizing enhancements and feature releases over security continues to allow these vulnerabilities to be deployed and lie dormant until it is too late. As long as organizations continue to accept bolting on security features post-deployment, project and development teams will continue to view security as a low priority.

How can we improve?

The first step in changing the security culture of an organization starts at the highest level of management. To quote Bill Gates, the co-founder and former CEO of Microsoft:

"When we face a choice between adding features and resolving security issues, we need to choose security."

This quote provides a perfect example of an organization dedicated to changing its security culture to be the top priority. The second step requires the organization to provide all employees with the resources they need to create secure software. To build their security knowledge, project and development teams should be required to take security awareness training that illustrates the hostile environment their applications will be exposed to after deployment to production. Upon completion, everyone involved will understand why security is important and remain engaged as security discussions occur. In the next post, we will explore the types of developer security awareness training that should be provided.

Bio: Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. Eric previously spent six years performing web application security assessments for a large financial institution and another four years focusing on ASP .NET web development. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications. Eric is located in West Des Moines, IA and outside the office enjoys spending time with his wife and daughter, attending Iowa State athletic events, and golfing on the weekends.