Too many developers lack adequate security training and education. Unless developers have been trained on the job or have gone out of their way to seek the training, chances are they have little to no security training. I interviewed a graduate once for a development position who had written a production web application for their university. The developer did not know to hash or salt the passwords before storing them in the database. This is not surprising though. Universities are not doing their part to teach security. There are a few studies that demonstrate the current state of affairs.
Universities Are Not Setting the Bar
CloudPassage studied 121 of the top universities.1 These were some of their findings:
- None one of the top 10 U.S. computer science programs required a single cybersecurity course.
- Three of the top 10 universities did not even have a security course.
- Only one of the top 36 computer science degrees required a security course.
- Out of the top 50, only three required a security course.
Lack of Training
If developers aren’t getting their education from university, they should be getting training from their employer or on their own. We see some uninspiring statistics regarding training from a study performed by the Denim Group2. They surveyed development teams and found 33% had no application security training at all, and only 25% had more than 3 days of security training throughout their career. They found that e-learning and instructor-led presentations were the most common mediums. The instructor-led presentations were ranked significantly more effective than e-learning courses by the participants. The one that had the highest ranking of effectiveness out of all the mediums was 1-on-1 training.
Treating the Symptoms
Large amounts of money are spent every year on security scanners, vulnerability assessments, and penetration tests for web applications. Even more money is spent in developer hours to remediate and re-test flaws that should have been avoided by the developers in the first place. It is safer and more efficient to train the developers and get the security baked in from step 0. It also provides confidence and peace of mind that the during code reviews, developers will examine each others code with a keen awareness for security and work together to identify flaws before code progresses to the next stages. It is also important to provide security training for quality assurance teams. Developers, testers, and managers should all be familiar with the OWASP Top 10 at a bare minimum. Regular security training for developers and testers ensures your new hires will get trained quickly and your veteran employees will learn more every year.
Developers spend enough time keeping up-to-date with the latest frameworks and sharpening their skills. It can difficult to stay current in both the development world and the security world if your full-time role is to produce code. Developers need regular expert training by security professionals who stays up-to-date on latest techniques and tools and see real-world examples daily.
We need to expect, demand, and create professional developers by taking the initiative to train them and set the expectations. Robert C. Martin (Uncle Bob) talks about professionalism in programming3. He emphasizes how it is not going to be long before there is a high-profile accident due to flaws in source code that control self-driving cars, guidance systems, or critical infrastructure. We must, as an industry, treat the root cause of application security flaws instead of the symptoms, which means training the developers.
There are many cases where significant loss has occurred due to developer errors. While not specifically security related, flaws in the software were the root cause of these losses. According to reports, the NASA Mars Climate Orbiter burned up in the atmosphere after getting too close to Mars due to miscalculations in the trajectory calculation software which used pound-seconds units instead of newton-seconds units. The Ariane 5 exploded after an operand error occurred between 64-bit and 16-bit values. The Northeast blackout of 2003 was caused by a race condition in the alarm system software of a control room.
Financial organizations have suffered as well. In 2011, AXA Rosenberg paid over $240 million to settle with the SEC after a bug in the software caused financial miscalculations. The Knight Capital Group disappeared virtually overnight after losing $440 million due to trading glitch. In 2012, Barclay’s Bank clients could not withdraw money from their accounts due to human error.
Books are a great way to learn for developers. One book that has a lot of great information is The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. It covers all of the flaws that are frequently in the OWASP Top 10 as well as more. It is very thorough and if you become familiar with the concepts in this book you will be able to understand and protect against the vast majority of attacks on web applications.
Another book that I highly recommend for developers is Hacking: The Art of Exploitation, which covers lower level flaws like stack and heap overflows in C. The first section of the book is a quick lesson on C programming and memory structure which is a great refresher for experienced developers and ensures beginner C programmers understand the relevant concepts. Make no mistake though, this book is not light reading. Between those two books you can learn to write very solid code.
We need to raise the bar and set expectations for developers to know the basics of software security. We see that universities are not even close to doing their job. Developers and employers must seek out security education on a regular basis to stay up-to-date. This way we treat the root cause of security issues instead of the symptoms.
- CloudPassage Study Finds U.S. Universities Failing in Cybersecurity Education – https://www.cloudpassage.com/company/press-releases/cloudpassage-study-finds-u-s-universities-failing-cybersecurity-education/
- Denim Group – Fine-Tuning an AppSec Training Program Based on Data – https://www.youtube.com/watch?v=5g1M4F0bRfA
- Robert C. Martin (Uncle Bob) – Demanding Professionalism in Software Development: A Critical Management Imperative – https://www.youtube.com/watch?v=p0O1VVqRSK0