5 ways to better educate developers on application security

As a graduate student at the Budapest University of Technology and Economics, Gábor Pék found that the school graduated students who generally did not have a fundamental grasp of application-security concepts.

The situation convinced Pék, following his own graduation with a PhD in 2015, to start a company, Avatao, aimed at teaching developers to create secure software by using gamification to make the process more interesting. Developers need such practical knowledge, he said, but he added that it is not a replacement for the solid theoretical grounding they should have coming out of a four-year university as a computer science graduate.

"Security education is not about finding specific issues, but about teaching the right mindset," said Pék, who is the co-founder and chief technology officer of Avatao. "It is hard to design architecture with security in mind if you do not have the right mindset."

Convincing developers to consider security as part of their job has been a struggle for application-security experts. With an estimated 23 million developers in the world, according to Evans Data Corp., reaching all of them with enough security training is nearly impossible.

Jeff Williams, chief technology officer and co-founder of Contrast Security, has tried. The application-security specialist has taught his share of classes to developers in his roles at his current company and at previous firms. Yet he estimates he may have affected at most tens of thousands of developers—not enough to sway the millions of people creating code.

"Ultimately, if we want to make a difference in application security, we need to find a way to get 20 million developers to do the right thing. Teaching 1,000 people at a time is not even a drop in a drop in a bucket."
Jeff Williams

There is no single solution, experts stress. Instead, companies need to take a multi-prong strategy to keep developers thinking about security.

Application Security Research Update: The State of App Sec in 2018

1. Higher education can help, but it's no panacea

Larger companies have already started forming pipelines with two- and four-year institutions to seek out computer science graduates, often asking schools to put a greater focus on teaching cybersecurity.

Yet, with most schools teaching advanced computer science concepts in years three and four, getting students up to speed in security is difficult, because a security focus can quickly turn digestible lessons into major projects.

"You can make things massively more complicated. Even the typical 'Hello, World'—your basic application—turning that into 'Hello, Secure World' is hundreds of lines. You have turned a very simple introduction into a massive process."
—Jeff Williams

Yet finding ways to teach the concepts of application security as well as the dangers of failing to secure software can help set developers up with a mindset to continue learning, he said.

2. Continuing education helps, but requires dedication

Companies can better tailor their developer workforce by requiring continuing education. Yet, with developers most often measured on their productivity, such endeavors need management support to make sure developers get the time they need.

In addition, there needs to be a proper mix between focused courses and more general conferences. A conference session generally piques curiosity, while a technical class can allow a developer to dive into a more practical topic, said Francois Raynaud, founder and director of the conference and training group DevSecCon.

"There is definitely something really good about running a conference, but security conferences for developers are quite hard, because there are so many technologies that you could cover."
Francois Raynaud

3. Incorporate security tests into development

Security tests that check developer code as it's being written, or when the programmers check in their code, is potentially the most important way to present security concepts and ideas to developers. Such teaching moments are becoming more popular as companies increasingly focus on agile development.

"What I like about the whole thing is it creates a micro training environments, he Williams said. "The developers are just doing their normal job, but they are getting feedback as they need it, and its reinforcing security concepts."

In addition, testing during the process keeps disruption of the development process to a minimum, he added.

"Instead of security coming in and telling them that it will take six weeks to fix their app, they can do it all themselves. It's democratizing."
—Jeff Williams

4. Mentorship can smooth the road to security

Companies should also focus on creating experts who are readily available to teach developers specific security concepts and procedures. These "security champions" can vet code and write tests to incorporate lessons into the development environment as well.

The security champion can help keep developers on track in their continuing education in security. "When developers write code, whenever code is being merged into the codebase, the security champion should review it. When you design a new architecture, the security champion needs to review that as well," he said.

DevSecCon's Reynaud agrees. Writing security tests requires knowledge and skills that most developers will not have.

"Every security test, which is developed by the security team, needs to be tested and not be a blocker. If we had this process in place for, say, Heartbleed, the cleanup of that vulnerability would have been much faster."
—Francois Reynaud

5. Know what's in your software

Finally, developers should work with the security champions to determine what software—especially open-source software—is being incorporated into their applications. Determining the bill of materials for each development project is a necessary step to limit the attack surface of the resulting application and to know when the components need to be patched.

"We continue to rely on the open-source world, but we are not really tracking our components, and that means we are not securing them. If you look at the number of people who use this technology to secure open source, this is still a problem. It is quite a weird thing."

In the end, application security needs to be constantly taught to developers, during the software lifecycle, in meetings with security champions, and through continuing education with conferences and tutorials. But it all starts at schools and universities, where developers need a better fundamental grounding in the importance of application security.

Topics: Security