This article was originally posted on Dark Reading.
Security Journey, a best-in-class application-security education company, today launched a report revealing that security experts across industry and academia are calling for greater focus on programmatic secure coding training to solve the ‘AppSec dilemma’. As a group, the application security leaders acknowledged the gap that academia has left when teaching developers how to deliver code securely, and outlined the ways enterprises can make this education possible.
Currently, none of the top 50 undergraduate computer science programs in the U.S. require a course in code or application security. Yet the attack surface is growing; new vulnerabilities within the NIST National Vulnerability Database increased by over 200% from 2015 to 2021. The Security Journey report was born out of a roundtable discussion, conducted during cybersecurity awareness month, to find a solution to this lack of secure coding education for developers and others involved in the Software Development Lifecycle (SDLC).
Roundtable participants include a Professor in the Human Computer Interaction Institute at Carnegie Mellon University, a Program Manager for Security Awareness and Education, Security Journey’s CEO, Director of Content Engineering, and Security Education Evangelist, Amy Baker, as Moderator. The roundtable established key differences between security ‘awareness’ and ‘education’, noted the areas that AppSec regulation can go further, and concluded that enabling more continuous and programmatic education is essential.
To make this education possible, the report from the roundtable discussion identifies key shifts that organizations need to make, which include:
- Investment needs to be driven down from the top: Key decision-maker, financial, and organizational support to advance ‘shift left’ initiatives.
- Training must be relevant to each professional: Training programs bespoke to the challenges that developers face in their day-to-day, complementing their current stage of knowledge.
- Industry and academia collaboration: Computer science and computer engineering professors examining curriculum to ensure security is included, making it easier for industry to embrace security from the start.
“Education is an underrated but essential part of computer security. The industry is currently severely under-educating all developers out there on really basic aspects of security and it’s hurting organizations.” Says Jason Hong, Professor in the Human Computer Interaction Institute at Carnegie Mellon University. “Education in academia and industry now needs to start focusing more on the human side of things – how do we improve people’s knowledge, where are their biggest gaps in understanding, and how do we incentivize and motivate not just developers but the corporations that employ them?”
Amy Baker, Security Education Evangelist at Security Journey added, “We need to bridge the gap between what development teams need to know about cybersecurity, and what education is provided to them either as part of undergraduate curriculum or by their employers. It’s not an impossible feat by any means, and we have a truly exciting opportunity now to improve application security knowledge in industry and academia.
To read all insights from the Security Journey Education vs. Awareness roundtable discussion, download the full paper.