SECURE CODING TRAINING PRACTICES AND QUESTIONS

How to Implement Secure Coding Education into your Organization to get the most positive return on investment?

Secure coding is just one feature of your company’s application security policy, but without it, the most basic layer of your applications and interfaces could be left open to attacks.

While much of the responsibility belongs to the development team, a secure coding mindset needs to be championed at every level of your organization. There’s too much riding on the security of your applications to cut any corners.

In this post, we’re going to answer some of the most common questions from business owners and C-level execs about secure coding training. You’ll learn about the different roles each person in your company plays in application security.

At the end, we’ll give you a sample of best practices that you can use as a reference when implementing secure coding education program at your organization.

What is Secure Coding?

Secure coding is the practice of developing software in a way that guards against security vulnerabilities.

It ensures that every bug, logic flaw, and potential security flaw is acknowledged and protected against, starting with the code itself. Any flaw or vulnerability in the underlying code is hard to spot and fix, especially since most security analysts tend to focus on the higher, user-facing levels of design.

Why is Secure Coding such a hot topic?

You’re seeing secure coding come up more and more because there has been no shortage of trouble for big companies and their security.

Over the last few years, we’ve seen some of the biggest data breaches in history. The cost of the average data breach to companies worldwide is $3.86 million USD, but in the U.S., it is as high as $7.91 million USD. Not to mention, the average time to identify a breach is 196 days. That’s an incredible amount of time to leave security flaws open.

As a whole, security is top of mind across almost every industry. Many have learned (the hard way) that it beings with the code itself.

What typically causes flaws that get exploited?

The truth is that most exploitable security flaws come from a lack of awareness.

One example is when developers make assumptions about the input for the program, leading to buffer overflows. This common practice leaves a business open to attack.

Many of the issues come down to a lack of safety nets in modern computing platforms and a lack of awareness regarding secure coding practices. An unknowing marketer could go into the code and make a slight tweak for a campaign they’re working on without knowing that they’ve just exposed the entire company.

Hackers are more resourceful than ever. Any cut corners can lead to a damaging hack.

How can we implement secure coding training?

Cyber security training is part policy, part process, and part people.

Once the policy is in place, proper training helps the people on your team implement secure coding best practices to their daily work routine. You cannot count on having safe codes if your people do not know the best practices to follow.

While this requires some training on best practices, the training itself does not have to be time-consuming or resource intensive. What’s more important is that each team member understands why these best practices are in place.

When your team is asked to blindly follow best practices, they are more likely to take shortcuts, avoid steps that might seem irrelevant, or forget their training altogether. A clear idea of why each practice matters and how it contributes to the overall security makes vulnerabilities much less likely.

We’re fighting the shrinking margins already. Wouldn’t secure coding training just lengthen the releases?

This is the wrong type of thinking.

Training enhances your developers’ skills. And as long as these skills and best policies are properly taught they won’t be forgotten. The result is better, more secure coding in the same amount of time.

Secure coding does not have to complicate the development process. In fact, implementation of secure coding can occur simultaneously with the rest of development.

Once your developers have the skills necessary to code in a secure manner and know the best practices to follow, they can automatically incorporate these practices into their everyday coding and reviews.

What’s the best way to implement secure coding training?

Once you’ve gone through and taken time to establish your best practices and processes, the best way to train your team on secure coding best practices is to train 3 different teams at a time:

1. First, a dedicated security group whose sole responsibility is security.
2. Second, security champions that aren’t your dedicated security team, but knowledgeable enough to provide insight.
3. Third, your entire dev team.

Why the whole team and not just the developers?

Managers, and even executives, have to implement the processes of secure coding.

While the developers are at the front lines of secure coding, a mistake from a manager or exec could undo all of the good. Raising awareness of secure coding should be a company-wide initiative. Everyone needs to be on the same page.

Why not everyone at once?

By dividing the training sections up into teams based on security knowledge and roles, training can be customized to each individual skill level.

The dedicated security team does not need to waste time going over basic security concepts that the regular dev team may not be familiar with. This prevents the risk of some people falling behind or losing interest due to unnecessary training for concepts they are already familiar with and use on a daily basis. It helps entire team organically integrate concepts into their everyday practices.

Does the training have to be on-site?

We recommend a Blended Training method; the first part is done on-site, then follow-up training can be done online.

This way is much faster and more cost-effective for everyone involved. It also improves the flexibility in your training and reduces the time taken away from daily tasks.

Why not online for the entire course?

First, the ugly truth is that very few people can pay attention to a three-day long online course.

Second, there’s tremendous value in face-to-face interaction. It lets trainers adjust the pace according to the verbal and non-verbal reactions of the audience. It’s also more credible and more interactive.

This combination is what we’ve found to be most effective from the thousands of hours of training that we’ve given so far.

Should we add secure coding to the onboarding process?

It’s always a good idea to make cyber security training part of the onboarding process when hiring new employees.

This can be done via burst-training segments — even from inside the company. The key concept is keeping security at the top of the mind of everyone at the company.

We can give you pointers on training future team members and provide those burst-training segments. Or repeat the training if you onboard many new employees at once.

How much would secure coding add to our costs?

Well, we can say that it is definitely less than hiring a trained security officer or taking care of everything yourself.

Checking for security updates, handling the shameful negative press releases coming out of nowhere, etc. Every one of us has been there and the simple truth is that secure coding training is much more cost-effective.

The small initial investment will save hundreds of thousands of dollars overtime.

What kind of investment are we talking about (in U.S. dollars)?

Typical training for a group of 12 usually costs around $1,000 USD per participant — a marginal cost compared to both the opportunity cost and the effect a potential breach would cause.

The price tag varies depending on how many people, and what type of training is needed. Please check our pricing page for specifics.

What’s the opportunity cost for developers?

A developer needs three days per year at a minimum to learn, practice, and implement secure coding knowledge. This equates to about 2 percent of their yearly workload.

We have no budget. How can we convince the management about the rising priority of cyber security?

There have been a growing number of stories in the media about security breaches, at both smaller companies and giant corporations.

If management insists on little to no budgeting for cyber security training, it can be a good idea to develop a breach procedure. A cyber breach procedure is a document citing how to handle these disastrous events.

Even if you don’t think there’s a budget, don’t hesitate to ask. When facing the consequences, decision-makers usually change direction to keep their firm safe.

How many dev businesses are spending on secure coding anyway?

There were more than 23 million professional developers in the world in 2017, including over half a million in California alone. Most of these software engineers are not trained to release safe code.

The largest software organizations already realized the threat, however.

If you want to be ahead of the curve, secure coding should be prioritized.  It’s no longer an option.

Should I be the doomsayer?

It’s just realistic risk-awareness.

A friend of mine trained wannabe cave divers. He always started his training by telling his students that cave diving is one of the most dangerous extreme sports. People die cave diving all the time — new divers heard this all the time.

As the first lesson of the training, he used to pull out a body bag and explain how to dispose a dead body into the bag, claiming there’s a high chance that participants will need this knowledge sooner or later. Usually, half of the class left in less than 15 minutes.

The risk is there — it won’t be higher or lower just because no one talks about it.

This is exactly the same with secure coding. Whether or not you mention it, the risk will always be there. You mine as well be prepared for the somewhat inevitable.

If we take this path, can you guarantee that our code will be secure?

No code is ever 100% safe. But if implemented properly, secure coding training can greatly improve the security of the codes written in the future.

It’s another project to make old code secure, but the training will enable the team to work on securing old code in addition to making new projects more secure.

An Overview of Secure Coding Best Practices

When planning your secure coding, it’s never a bad idea to start with the basics.

We recommend creating a small team of shareholders that can help champion secure coding training and remind developers, and anyone else with sensitive data, to follow what’s been laid out.

Language and context will depend on your organization, but here are a few best practices that translate well across many organizations similar to yours.

Make Security a Priority

During the course of your project’s development, there will be a situation where efficiency and security might not perfectly match up.

No matter what, prioritize security. Don’t ignore checking for issues like cross-site scripting and SQL injection. Most problems are easy to fix once you find them.

Your goal is to make it impossible (or close to it) for hackers to exploit bugs through stolen or changing data. Deadlines can be pushed back. Rushing through your checks and leads to holes in your design, especially at the code level, will show up down the road. Make sure your application is tight.

Keep It Simple

While security should be a major priority during the development process, you should not go overboard and make it excessively complicated. The more complicated you make security measures, the more opportunities there are for failure.

Minimize the risk by reusing components you can trust and keeping things simple without double negatives or complex architecture. Go a step further and integrate security tools in the environments that developers are familiar with.

Follow the Concept of “Defense in Depth”

Defense in depth involves layering defense tools to delay an attack to buy time, rather than trying to prevent it outright. The various layers will help minimize holes in applications that give would-be attackers space to take advantage of your coding.

Of course we would always like to destroy the threat completely, but that can take time. Keep multiple security layers in place, so if one fails, the next one is ready to protect.

There are plenty of threats out there to your code, and they’re always evolving. Use modeling tools to automate threat patrol so your team can focus on other tasks.

Plan for Failures

You must have a course of action ready for when security measures fail. If you can shut down access quickly, you can avoid more serious damage.

The classic example is an ATM. When it fails or has an error, the ATM will not process any bills or allow for any transaction. It also doesn’t just start spewing out money. Issues are uncommon, but when they do happen, they’re planned for.

Make sure that any system failure does not lead to secure information being exposed. Include logs of failure for additional analysis at a later date to avoid future problems.

Do NOT Follow Security by Obscurity

Security by obscurity is when your main defense against attacks is the hope that no one finds about your design. Not hard to see why this is a bad idea.

Always work under the assumption that your source code was already compromised to engage in proper security testing. Incorporate threat modeling and defense in depth. Use the two in conjunction to be aware of the most significant vulnerabilities.

Completely Remediate Vulnerabilities

You should never leave known vulnerabilities alone. Always ensure you fully understand your vulnerabilities and remediate them via training and testing. Without looking at existing vulnerabilities, your journey toward secure coding will hit a roadblock.

Perform an analysis of source codes and do unit tests to validate that any changes to codes truly mitigate the vulnerabilities you want to overcome.

Define Allowances

Whitelisting is the only real way to prevent an attack that you think of following development. Use a method that defines specific actions or accesses that are allowed, then reject everything else.

Malware is constantly evolving. Without dependency on a whitelist, your code can easily become susceptible to hackers.

Follow Least Privilege

Every account should just have the amount of privilege they need to complete their responsibilities. In practice, this should involve classifying your data, so you can figure out the appropriate privileges based on roles. Follow it up with access control validations.

Cybersecurity Jobs Report 2018-2021

https://cybersecurityventures.com/jobs/

By 2021, 3.5 million cybersecurity jobs will be open — with not a single soul applying. No, it’s not an end-of-the-world, kinda paranoid, dark vision — it’s just cold, hard facts.

As Mark Andreessen (the very inventor of the thing what we nowadays call the browser) said: “Software will eat the world alive.” The question is, will your code be among the ones that serve or the ones that ruin the entire society?

References:

• https://infosecwriters.com/text_resources/pdf/On_The_Importance_of_Secure_Coding.pdf
• https://checkmarx.com/2015/07/01/9-secure-coding-practices-you-cant-ignore

Contact us at  training@scademy.com