There’s a highly contested debate lingering throughout the software development community that, surprisingly, does not stem from the global pandemic — whether functionality or performance ranks priority one when talking about secure coding.
In the rush to meet software development needs, there is a general acceptance that although “secure code perfection” is the goal, achieving “total” perfection is not realistic (people make mistakes, requirements change and aren’t remediated, etc.). Therefore, if perfection isn’t attainable, is the functionality of code (does the code do what it has been asked to do) or the performance of code (readability, modularity, elegance, etc.) of paramount concern?
A foundational aspect of enterprise and mobile application development, secure coding intends to ensure that code is as clean as possible. Error-free code protects the entire software development lifecycle from defects, bugs and intelligence flaws that result in security vulnerabilities. Even the smallest programming mistake can cause a large scale security breakdown that negatively affects deployment and application success, ultimately leading to compromised intellectual property and data.
A commitment to secure coding principles can be driven from anywhere within an organization, as many players have a direct hand in enterprise and mobile software application success. While IT often “gets a bad wrap” for being inflexible and controlling when it comes to what to/not to do by way of security, it’s critical that every layer of the software development team (from the CTO/CSO to AppSec Managers and Developers, to those on the business and customer-facing sides) proactively strive to eliminate (or at the very least reduce) software vulnerabilities.
However, if those programming on the front lines don’t have the proper skills, as well as the necessary training support, to ensure code created is as close to “perfection” as possible, the initiative is set to fail before it even begins (i.e., whether the code is functional or of high performing won’t matter anyway). Herein lies the conflict that ripples throughout development teams (when it really shouldn’t) and why proper training is becoming the non-negotiable response to the question of what matters most.
Training yields better code, and lower cost and risk
Most are aware of the estimated cost of software bugs (upwards of $60 billion according to the Department of Commerce’s National Institute of Standards and Technology), while the high calculated level of risk is immeasurable.
We also know that where (i.e., at what point) in the software development lifecycle a bug originates can affect remediation efforts, as well as the overall cost and risk that follows. Developers must do their part by aiming to create the most accurate and secure code as possible, which means adhering to AppSec requirements set by the organization and industry standards bodies.
While the onus is on companies to hold code to the highest caliber, they can’t assume developers “just have” the necessary know-how to make it so. Programmers out of college are hardly taught the value and practice of secure coding, and how it remediates vulnerabilities.
Providing continuous opportunities for DevTeam skill-building and advanced training as part of a company’s secure code objectives, as well as tying defined AppSec priorities to performance metrics, make a significant difference in motivation, performance and security integration. In addition, programmers gain an equal knowledge base that endorses an environment where they, too, can spend more time writing and deploying good code, rather than fixing errors.
Gamification a key training strategy
Certainly, integrity should be a characteristic of all developers (i.e., companies want functional code, performs well and is of high quality) but companies still find themselves challenged to ensure everyone with a role in the enterprise software and application lifecycle shares the same level of commitment to coding ideals. One strategy working well for distributed and hybrid teams is gamification. Generally speaking, coders tend to like competition and it goes deeper than just the desire to earn top spot on a leaderboard. Self-proclaimed techie and gamer Brent Hale sums up the benefits of coders that game quite nicely in the article, “6 Reasons Why Programmers Should Start Playing Video Games.”
As integrating gamification concepts into secure coding principles is helping developers become more security-aware, the market is responding with growth of companies that offer such services and solutions. For example, Secure Code Warrior offers ways to improve secure coding skills and outcomes through tournaments, courses, assessments and more. While companies can’t expect developers to be security “experts,” they can certainly require them to become security “champions” as the first line of organizational defense.
Virtual training considerations
Today’s mid-pandemic reality means teams are even more distributed than before COVID created mandatory remote work environments. Enterprise-level training classes were affected, too, as gone now are the days of in-person classes. We’ve ushered in a modern era of virtual, online eLearning formats and companies are pleasantly surprised by the value generated from the ability to learn with anyone, from anywhere, at any time.
When considering the “learners” involved with secure code training (developers, designers, data scientists, testers, etc.), be mindful that they will know, very quickly, whether or not what they’re experiencing is delivering value. They’re also intimately familiar with technology in a way that the average business user is not.
Therefore, it’s important for CTOs, CIOs, CHROs and VPs of Engineering to run training and development courses on the most modern, efficient, easy to use eLearning platforms available. While an array of models (e.g., online, distance and/or remote learning) are accessible depending upon the type of instructor/learner/content needs, it’s important to consider a few key objectives when creating virtual secure coding training programs:
- Implement training through a cloud-native model,
- Establish secure coding parameters and performance expectations at the outset,
- Have flexibility in teaching methods and time management to meet various learner styles,
- Make remote learning fun and flexible for the learner and instructor,
- Increase engagement levels with smart tools that support metrics and accountability, and
- Structure coursework to meet unique hard and soft skill development.
In addition, it’s critical to note that while convenient for general day to day communication, the rudimentary nature of mainstream audio, video and/or chat collaboration tools (Zoom, WebEx, Google Meet, WebEx, Slack, etc.) are not sufficient platforms on which to execute quality, virtual eLearning training and development programs that will drive desired secure coding results.
Clearly, code functionality and performance are both important. 2021’s increased investment in secure code training and development will reinforce that, but place the greatest emphasis on creating the cleanest code possible to thwart security vulnerabilities that lead to cyberattacks and compromised data assets.