Want More Secure Software? Start Recognizing Security-Skilled Developers

Professional developers want to do the right thing, but in
terms of security, they are rarely set up for success.
Organizations must support their upskilling with precision training
and incentives if they want secure software from the ground
up.

The cyber threat landscape grows more complex by the day, with
our data widely considered highly desirable “digital gold”.
Attackers are constantly scanning networks for vulnerable
applications, programs, cloud instances, and the latest flavor of
the month is APIs, with Gartner correctly predicting^[1]
that they would become the most common attack vector in 2022, and
that is in no small part thanks to their often lax security
controls.

Threat actors are so persistent that new apps can sometimes be
compromised and exploited within hours of deployment. The Verizon 2022 Data Breach Investigations
Report^[2] reveals that errors and
misconfigurations were the cause of 13% of breaches, with the human
element responsible overall for 82% of the 23,000 analyzed
incidents.

It’s becoming very clear that the only way to truly fortify the
software being created is to ensure that it’s built on secure code.
In other words, the best way to stop the threat actor invasion is
to deny them a foothold into your software in the first place.
Cybercriminals are at a distinct advantage against organizations
scrambling to defend their often vast attack surface, and any
windows of opportunity that can be shut for good significantly
reduce risk.

We make it hard for security stars to
shine

The current status quo for developers at many organizations is
such that their primary role is to build awesome features and
deploy software at speed. The faster that developers can code and
deploy, the more valuable they tend to be seen in terms of their
performance reviews.

Security can be an afterthought, if considered at all, and is
conspicuously absent as a measure of developer success. The
2022 State of Developer-Driven Security
Survey^[3] in conjunction with
Evans Data supports this outlook, with 86% of surveyed developers
revealing that they do not view application security as a top
priority. Instead, much of that is left to the application security
(AppSec) teams to figure out. AppSec teams tend to be a source of
frustration to most developers, because they would often send
completed applications back into development to apply security
patches, or to rewrite code to remediate vulnerabilities. And every
hour that a developer spent working on an app that was already
“finished” was an hour they were not creating new apps and
features, thus decreasing their performance (and their value, in
the eyes of a particularly punitive company).

However, the modern threat environment has forced everyone, from
companies to government departments, to rethink the importance and
prioritization of security, and they would be well-placed to
consider how the development cohort fits into a defensive approach.
According to the recent 2022 Cost of a Data
Breach Report^[4]
from IBM and the Ponemon Institute, the average cybersecurity
breach now costs about $4.24 million per incident, although that is
hardly the upper limit. The companies of today want the security
offered by DevSecOps, but, sadly, have been slow to reward
developers who answer that call.

Simply telling the development teams to consider security won’t
work, especially if they are still being incentivized based on
speed alone. In fact, within such a system, developers who take the
time to learn about security and secure their code could actually
be losing out on better performance reviews and lucrative bonuses
that their less-security-aware colleagues continue to earn. It’s
almost like companies are unwittingly rigging the system for their
own security shortcomings, and it comes back to their perception of
the development team. If they’re not seeing them as the security
frontlines, then it’s very unlikely a viable plan to utilize their
workforce will come to fruition.

And this doesn’t even account for the lack of training. Some
very skilled developers have decades of experience coding, but very
little when it comes to security… after all, it was never required
of them, nor a measure of success or quality work. Unless a company
provides a good training program, it can hardly expect its
developers to suddenly gain new skills and put them into action in
a meaningful way that actively reduces vulnerabilities.

(Want to compete against other elite developers from
around the world, or nominate your own dev team of security
superstars? Join Secure Code
Warrior‘s 2022
Devlympics, our biggest and best
global secure coding tournament, and you could win
big!)^[5][6]

Rewarding developers for good security
practices

The good news is that the overwhelming majority of developers do
their job because they find it both challenging and rewarding, and
because they enjoy the respect that their position entails.
Lifelong software engineer Michael Shpilt recently wrote about^[7]
all of the things that motivate him and his colleagues in their
development work. Yes, he lists monetary compensation among those
incentives, but it’s surprisingly far down the list. Instead, he
prioritizes the thrill of creating something new, skills
development, and the satisfaction of knowing that his work is going
to be directly used to help others. He also talks about wanting to
feel valued within his company and community. In short, developers
are no different to a lot of good people who take pride in their
work.

Developers like Shpilt don’t want threat actors compromising
their code and using it to harm their company, or the very users
they are trying to help. But, they can’t suddenly shift their
priorities to security without support.

To help development teams improve their cybersecurity prowess,
they must first be taught the necessary skills. Utilizing a tiered
approach to learning – as well as tools that are purpose-built to
integrate seamlessly into their actual workflow – can make this
process much less painful while helping to build upon existing
knowledge in the right context.

With a commitment to upskilling in place, the old methods of
evaluating developers based solely on speed need to be eliminated.
Instead, developers should be rewarded based on their ability to
create good, secure coding patterns, with the best candidates
becoming security champions^[8]
that help the rest of the team improve their skills. And those
champions need to be rewarded with both company prestige and
monetary compensation. It’s also important to remember that
developers don’t typically have a positive experience with
security, and uplifting them with positive, fun learning and
incentives that speak to their interests will go a long way to
ensuring both knowledge retention and a desire to keep building
skills.

(Want to compete against other elite developers from
around the world, or nominate your own dev team of security
superstars? Join Secure Code
Warrior‘s 2022
Devlympics, and you could take out a
major cash prize in our global tournaments!)^[9][10]