While we’ve seen promising steps in the right direction when it comes to application security, there is still a significant gap in secure coding knowledge across the entire software development lifecycle (SDLC). Currently, none of the top 50 undergraduate computer science programs in the U.S. require a course in code or application security.
Yet, the attack surface is growing. New vulnerabilities within the NIST National Vulnerability Database increased by over 200% from 2015 to 2021.
Experts are calling for a greater focus on programmatic secure coding training. We brought together leading voices across business, industry, and academia to discuss how to overcome the ‘AppSec Dilemma.’ We tackled some of the key questions currently affecting the SDLC:
- Where does awareness stop and education start?
- How do we improve secure coding education?
- How can we bridge the gap between academia and private industry?
What we discovered is that ‘education’ goes beyond ‘awareness.’ While awareness in application security means recognizing what a flaw looks like, education includes understanding the effects of this flaw and how it can be remediated.
One of our roundtable participants, Professor Jason Hong of Carnegie Mellon University, recently touched upon this and other findings in this short video for Help Net Security.
So how can organizations move from awareness to a security posture? Here are some key actions to take to make education in secure coding a more continuous journey (you can read our full insights here).
Investment needs to be driven from the top down
Education is only possible with investment. Key decision makers must buy into the value of a continuous secure code training program, so they can encourage and reinforce critical concepts and not hinder progress.
This shift left requires support from the top. In fact, as we identified in our roundtable, the board and executive leadership team should lead by example. They must demonstrate the necessity of a security-first mindset for everyone – developers, engineers, and the teams that support application development.
For training to be effective, it must also be relevant to each learner and the challenges they face in their day-to-day responsibilities. It should also be customized to their level of experience and refined for each role across the SDLC.
If an education program is focused on a coding language a developer is not familiar with or designed for someone with much more basic knowledge than those taking the course, learners will switch off. They may even begin to view security education in a negative light.
Industry and academia must collaborate
While both academia and industry are trying to tackle the AppSec dilemma, they work separately. Both have a role to play in addressing the lack of secure coding education provided for the SDLC but it is far easier if they do so together.
Our roundtable discussion identified a number of suggestions on how to aid this collaboration, such as creating more shared platforms of knowledge, embracing mentorship programs to support those in the early stage of their careers, and encouraging more practical partnerships between universities and private industry.