This article was originally posted on Security Journal Americas.
A recent survey found that software quality issues may cost the US economy an estimated $2.41 trillion in 2022. Cyber-crime losses play a significant part in this, with software vulnerabilities on track to increase 42% from 2021.
Yet while threat actors diversify and become more sophisticated with their techniques, businesses continue to struggle and are failing to patch known risks (72% of organizations are still vulnerable to Log4shell). This clearly demonstrates that application security (AppSec) education for developers and everyone across the software development lifecycle (SDLC) is still lacking and needs to be addressed if we are to see any real change in the cyber threat landscape.
The reality is many developers enter the workforce with little to no education in secure coding or its value, having studied at top universities that simply don’t require compulsory AppSec courses. At the same time, 51% of developers deal with a hundred times more code than ten years ago and 92% feel they must write code faster than before. It has created something of an AppSec dilemma, as vulnerabilities rise, pressures mount, yet security knowledge wains.
In this article, we take a look at the biggest trends and challenges coming in 2023 for the whole software development industry, and how this AppSec dilemma can be overcome with programmatic and continuous secure coding training initiatives.
The skills gap will present challenges
Many organizations have struggled in 2022 with a shortage of resources; almost a third of key software roles are going unfilled as a result of hiring pressures and market shortages. There simply aren’t enough team members with the proper knowledge to address this current dilemma. Enterprises can certainly introduce more tools, but if their development and support teams, as well as leaders, don’t fundamentally understand how to develop applications securely or appreciate why there is a need to do so – despite the race to bring new apps to market – then breaches will continue to occur.
Educating teams proactively is an important part of overcoming the skills gap in 2023. Security needs to become a second language, baked in from the very start of the development lifecycle. In a tough economic climate with budget scrutiny, teams can save costs and boost knowledge by investing in the education of their current teams rather than looking at an already narrow market of security experts. However, this education needs to resonate. Organizations must make sure that they only incorporate training programs that speak directly to the issues those in the SDLC see every day.
Security will become a greater developer priority
The critical vulnerabilities of 2022 have shown us that even the most experienced and capable developers can inadvertently create insecure code. Rather than intentional malicious behavior, this is a by-product of little knowledge and education available on the emerging or ‘big ideas’ of application security. If a developer is never taught about the risks of the software supply chain, or shown the mitigation strategies for SQL injections or buffer overflow, how can they write and deliver secure code, especially with the speed to market pressures that they face?
2023 will undoubtedly see more developers prioritizing security. They’ll endeavor to become security assets to the SDLC. However, to make this possible it is crucial that we move past the concept of security ‘awareness’ and focus more on continuous ‘education’. While ‘awareness’ of a vulnerability or insecure code is recognizing it’s there, ‘education’ is knowing how this flaw will affect the software and understanding how to remediate it. Making this differentiation and being able to act on security issues is crucial for developers to provide application security for their organizations.
New threats are evolving
As technology, software and applications develop, so do security threats. Two new risks to consider for 2023 are the metaverse and Web3. These areas are filled with opportunities for businesses as well as hackers and currently not enough attention is being given to this new attack surface that may dominate AppSec conversations in the coming 12 months.
The metaverse in particular is a complex system and we do not have a current standard for how it will run. What’s more, most security tools were not designed for decentralized solutions and therefore they won’t be capable of truly protecting the metaverse from malicious actors. Secure code must be built into applications from the start, meaning security training for any developers in this space is non-negotiable.
Over the next 12 months, software development teams will undoubtedly come up against a number of challenges – from the ongoing skills gap to new and evolving threats – but training on how to solve these will underpin all progress and ultimately reduce the negative effect of insecure software on the economy.