This article was originally posted on Dark Reading.
In the opening keynote of the 2022 Black Hat security conference, Chris Krebs, the former Department of Homeland Securities cybersecurity director, stated that security is going to get worse before it gets better. Why? Krebs said that "software remains vulnerable because the benefits of insecure products far outweigh the downsides." Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development. This view is proving to be outdated in the current threat landscape.
With cyberattacks on the rise, the software supply chain is a popular target for cybercriminals who recognize the huge disruption they cause when infecting insecure code. For example, the now infamous Log4Shell vulnerability posed such a risk because the open source Log4j is so commonly used across software applications and online services worldwide, and exploiting the vulnerability requires very little expertise. More recently, the 25,000 malicious plug-ins found across WordPress sites highlight the cybersecurity risk that many businesses face, despite believing they were using secure applications and programs within their websites.
Innovation and security must therefore be viewed through a single lens; one is not possible without the other. Even more importantly, security can no longer be the responsibility of one siloed team. It must be a priority for everyone across the SDLC.
The AppSec Dilemma
Despite increased investment into application development, the same importance isn't being applied to security. In such a competitive space, first movers tend to get the reward. Those that enter the market with their "first viable product" are likely looking at how this product can serve customers, not how it can be used securely. With these high expectations, code demands on developers have increased 100 times over the past 10 years, with 92% feeling pressured to write code faster. Pair this with the fact that 53% have no professional secure coding training, while the number of new vulnerabilities within the NIST National Vulnerability Database has increased by over 200% in the past several years, and it seems we're in something of an application security dilemma.
However, it is not an unsolvable dilemma. The solution requires a complete switch-up in the way that many view coding and innovation, with a specific focus on the mindset of the people. It puts security first and recognizes that it's OK to be slower to market if the end product is more secure. According to Boehm's law, "the cost of finding and fixing a defect grows exponentially with time" — a concept that can benefit the bottom line of organizations that prioritize security from the start.
Establishing this security-first mindset is crucial — not just for the development team, but for everyone who plays a role within the SDLC. Product and project managers, DevOps, user experience (UX) designers, and quality assurance (QA) professionals will all influence the end result and therefore need to recognize the current dilemma for application security and how this challenge can be overcome.
Getting Integrated Education Right
If teams do not understand why a security-first mindset is so important within application development, they are never going to buy into how it can be achieved. Integrated and continuous application security education for the whole development organization has therefore never been more important. For those creating the code, it is important to deliver foundational learning before hands-on exercises that speak directly to the issues they face on a daily basis. This developer-specific education should be run in parallel with foundational and advanced application security training programs for those with roles in the SDLC that may not necessarily need hands-on expertise. These kinds of initiatives will empower the whole team to think differently, make more informed decisions, and integrate security across every aspect of development.
Yet it is important that organizations understand that application security constantly evolves and changes. Building a security-minded team who apply key AppSec principles at every step of the development cycle can't be accomplished with a "one and done" training program. To ensure teams maintain this security-first mindset, a continued and evolving educational program is key.
Many organizations engage teams by acknowledging and celebrating security champions, who lead a shift in security behavior across the team. By offering incentives or rewards to those that are consistently applying security best practices in their day-to-day work, they encourage champions to engage others and organically influence change. For example, by measuring results — like the number of vulnerabilities in a code before and after training programs — and recognizing success, it is also far easier to get buy-in from the board and justify investment on secure coding education to the decision-makers.
Innovating fast and beating the competition to market while also putting security first is possible when the people of the SDLC make security a top priority. In fact, as the number of vulnerabilities grows and cyberattacks show no sign of slowing down, coding securely is a must for any application to be successful. As long as the entire SDLC is considered in continuous, bespoke, and measurable education initiatives, security does not have to get worse before it gets better.