You may be familiar with today's application security dilemma, a multi-pronged problem that most people face.
Today's application security dilemma includes:
- Security Concerns – The OWASP Top 10 has not changed in over a decade, and from 2021 to 2022, the number of new vulnerabilities has increased by 59%, according to The Stack.
- Pressure on Development – Developers are expected to produce more code in a shorter amount of time, according to Sourcegraph.
- Lack of Security Training – According to Forrester, secure coding is not a requirement for students in the top 50 coding programs.
- Regulations – According to GitLab, bodies are regularly shifting liability for software products and services to organizations developing the software.
So, we are asking, how can we help developers develop secure software without slowing down development and features?
The Impact of an Application Security Risk
According to the 2023 Verizon Data Breach Report, 50% of organizations experienced over 39 web app attacks – many organizations experienced attacks pushing their teams to be reactive rather than proactive.
You may not be a stranger to these attacks either; 56% of the most significant incidents in the last five years tie back to web app security issues creating a price tag of 7.6 billion dollars – these are things that we as an industry need to make progress on to avoid heavy regulation from governing bodies.
Today's Vulnerability Management Approach
Now that we know more about the application security dilemma and the impact of an application security risk, what are organizations doing today to promote secure web app development?
Here are the three main AppSec initiatives we are seeing organizations take today:
- Security awareness building with annual OWASP Top 10 review videos to understand vulnerabilities at a high level
- Utilizing code scanning tools and code reviews between development and security teams
- Patches being implemented after periodical penetration tests
But what else can be done to improve web application security?
A study conducted by Enterprise Management Associates found that most organizations are doing code scans and code reviews. Still, when they looked at the security impact of adding training to those two tools, they found a 96% improvement in the security of the software.
Combining proactive training, reactive tools, and recovery practices impacts software security. But this is not being used as often as we'd like.
How Do Developers Learn Best?
We may know that the impact of security training is immense, but we need to understand how to meet developers where they are so they can be engaged in their training long-term.
According to Stack Overflow, almost 80% of developers are currently using online resources such as videos, blogs, and online training – so this is where we need to meet developers where they are comfortable learning so they can easily add security to their skillset.
What To Look for in an AppSec Training Solution
Regarding application security training, you can either build your program in-house or purchase a program from a vendor. Both are good options depending on the size and needs of your organization.
We've seen that most organizations that purchase expertly crafted security training have more success delivering fresh content on demand for their learners.
If you're looking to purchase security training from an outside vendor, here are some key points to consider:
- The variety of learning modalities, including videos and hands-on lessons
- Knowledge assessments to prove learning gain
- Specific role-based training paths for development functions
- Level of gamification to drive engagement
- Offering consistent new and refreshed lessons
- Reporting availability to show measurable results
- Strong customer support to aid program management
Programmatic Approach to Security Training
First, it's essential to understand the difference between security awareness and security education approaches to secure development training.
- Awareness - designed to make developers aware of best practices for identifying and reporting potential threats, and the importance of following security policies and procedures. Many programs focus on an overview of the OWASP Top 10.
- Education - tailored to software developers providing them with theory and hands-on training to write secure code from the ground up.
Watch The Expert Roundtable: Cybersecurity Education vs. Awareness
Security awareness training is a great starting point when building your program. Still, we want to move towards security education that builds skills and knowledge to impact the application security dilemma.
The Value of Security Education for Developers
Today's application security dilemma is not unique to one or a few organizations – it's a trend that the industry as a whole needs to work together to protect our customers and organizations. If you are ready to move from awareness to education, you can check out our AppSec Training Platform today.