Are self-taught coders a cybersecurity problem?
- Lockdowns throughout the last year have led many to upskill, and coding is one of the most popular choices
- Today, individuals have access to endless resources and tutorials, but this way of learning may bypass the importance of secure code
- The tech industry needs developer talent, but it needs those who put security first
Due to extra time spent at home, furloughing, or even the complete loss of jobs, the last year has led many on a quest to enhance and expand their skillsets, or even reskill entirely.
Given the demand for IT – and the towering salaries certain roles can secure – the prospects of the tech industry have led many to focus on developing their coding skills.
Research from BoxBoat found that one in four people spent their time learning to code during the lockdown, with Python, Java, and C++ the most commonly-learned languages. More than half of respondents said they were looking to improve tech skills for career development, while a third was seeking to improve job prospects.
From free coding tutorial sites to YouTube, opportunities to learn these valuable skills are accessible to everyone and are pretty much endless.
For many self-taught and inexperienced coders, however, coding securely isn’t even a consideration, let alone a priority, said Matias Madou, CTO and co-founder at Secure Code Warrior. So, while it’s positive that many are looking to upskill themselves, the importance of learning to code safely “cannot be understated”.
“Insecure code is a huge risk to all organizations,” said Madou. “The rapidly increasing reliance on digital platforms and the software that enables them have only exacerbated pre-existing security issues.
2020 and the digital reliance it thrust upon businesses have served to spotlight just how drastically important secure code is for businesses, their customers, and society at large. Common security bugs can lead to catastrophic breaches if undetected. A 2019 study found out of 32 web applications, 82% of vulnerabilities were located in the application code itself.
In fact, the need for secure and resilient code today has led to the growth of chaos engineering, where resilience is built into code by design and methodology.
“Without addressing security issues at its root, organizations will fail to effectively fortify their IT infrastructure. At best, this might mean a small-scale data breach, and at worst, could lead to life-threatening scenarios, particularly when it comes to compromising connected devices in industries like healthcare or manufacturing,” said Madou.
Upskilling in security
While upskilling with developer nous might seem like the route one to better job prospects, Madou suggests security should be front of mind, both for individuals looking to get started or advance, and organizations offering training and development internally.
“There are many benefits to upskilling in security as a developer,” said Madou, “At first, writing secure code may seem like a time-consuming and cumbersome obstacle to overcome for developers, but it will become quicker and easier with time and create long term efficiencies by saving time fixing bugs on the other end.
“Consistently producing secure, quality code will increase a developer’s value and make them much more in-demand – getting code right the first time can save organizations a lot of time and money. Upskilling in security will open up more lucrative job opportunities, with secure coding continuing to grow as a highly sought-after skill.”
The demand for talented cybersecurity professionals is skyrocketing, he added, with a shortfall of around 291,000 skilled workers in Europe, and security-aware developers can help take the pressure off by addressing common vulnerabilities from the beginning.
Engage with coders
Madou recommends that, for organizations, poor code security should be addressed from the top-down, and developers should be given the time and encouragement from their leaders to build on their security offerings from the beginning of their careers.
While training in secure coding is essential to changing the state of security in organizations, it’s not always easy to encourage developers to start prioritizing security, he said, as there is often a “misguided assumption that doing so will take them away from the task they love most – building features.”
“As a result, training will only be effective if it’s relevant and demonstrates how security can fit seamlessly into a developer’s day job. The best way of doing this is through hands-on, dynamic exercises that are an accurate representation of what they might actually encounter,” said Madou.
“For example, gamified developer programs are a great way to engage developers and actively test their secure coding skills. We can’t expect traditional teaching methods, such as classroom-based learning, to change a developer’s mindset on secure coding.
“So far, such training has proved largely ineffective if the increasing amount of cyber threats and consistent attacks are any indication.”