Secure application coding: the important, under-explored security measure
Between 2021 and 2022, the ACSC (Australian Cybersecurity Commission) saw a 25% increase in publicly-known software vulnerabilities.
Malicious cyber actors indiscriminately targeted Australian organisations and individuals. Malicious actors persistently scanned for any network with unpatched systems, sometimes seeking to use these as entry points for higher-value targets. The majority of significant incidents ACSC responded to in that period were due to inadequate patching.
The silver lining is that the latest cyber attacks have helped developers understand security is an important step in the application development process. When developers understand what vulnerabilities mean and how they get introduced, secure coding becomes second nature.
Traditional security training is focused on the ‘how’. Participants are shown how to create secure code but not why it is crucial. The core concept behind The Missing Link’s Application Security Training offerings is to show developers why they should care – by putting them directly in the shoes of the hackers and cybercriminals targeting their apps. They perform real-world attacks which have devastating impacts on vulnerable applications.
This way, transformation begins at the bottom, not the top. They build bridges with security teams to ensure businesses remain protected from common to complex vulnerabilities introduced during the development process by winning the hearts and minds of developers.
The application security challenge for large organisations usually stems from a wide array of development teams working with completely different sets of technologies. With this in mind, The Missing Link knew its application security course should engage the different development teams (each with unique personalities) and provide them with accurate, relevant information and guidance. The course content information must be both interesting and useful for all participants in their day-to-day work to ensure maximum value.
The training courses overcome this limitation and make security an integral part of the developer experience – something the developers can understand and embrace themselves. With this approach, it’s not so much about getting developers to copy and paste or write code a “secure” way; it’s about getting them to think like a hacker while coding.
Of course, all developers can go and get trained. However, many courses spout mantras like ‘write code like this, do this…’. Some of the most common criticisms of these security training courses are the content is boring, the advice is too generic, or worse still, vulnerabilities continue to be introduced.
This dynamic needs to change. Hackers continue to get better and more creative. The attacks are getting more devastating. As more of our data is stored in the digital space, it’s time to teach developers how to hack their own code. Application security training from The Missing Link does just that.
Maintaining relevance with tailored training
One important quality of application security training is relevance. Diverse technologies in large organisations necessitate tailored training that addresses each team’s specific challenges in its day-to-day work, as there are specific exploitation techniques for the different technologies used.
Developers often say, “but I followed best practices,” where we can still demonstrate exploitation, meaning individual parts of their application may be safe, but combined, they open pathways for hackers to get inside. This is another important lesson The Missing Link teaches – developers and applications are part of larger ecosystems that all come together. Security must be seen as a holistic approach.
Innovate and stay engaging
Another essential quality is innovation. Training should not be limited to static, theoretical instruction. Instead, it should be dynamic and engaging, with hands-on learning and real-world attacks that give developers a practical understanding of how vulnerabilities can be introduced and exploited. Developers must see what the vulnerabilities do for themselves, from simple to complex exploitation. To defeat your attacker, you must know your attacker.
Be agile and adaptable
Finally, application security training must be flexible and adaptable to changing threats and technologies. Cyber threats are constantly evolving, so training should be designed to keep developers updated with the latest threats and best practices. New exploitation techniques are presented to hackers at conferences or written about as articles on social media. Why should the developers miss out?
The ACSC’s findings demonstrate the critical importance of secure coding in the application development process. Training is an essential component of any successful security strategy. When choosing an application security training provider, look for relevant, innovative, and flexible programs like those from The Missing Link. Developers can gain a deep understanding of vulnerabilities and how to prevent them, making secure coding second nature in their development process.
Author: Jack Misiura, Application Security Manager at The Missing Link.
- Is the Apple Vision Pro headset a real-life Black Mirror?
- Deepfakes get harder to detect
- After Italy, Japan has its eyes on ChatGPT over data privacy concerns
- Seeds of change: agritech redefining farming in Asia
- Guardians of the digital realm: How securing privileged accounts can help safeguard government institutions