CFOtech Australia - Technology news for CFOs & financial decision-makers
Story image
The importance of cybersecurity training for software developers
Wed, 28th Feb 2024

The ongoing barrage of cyber threats being experienced by organisations shows no sign of slowing, making the task of achieving effective security increasingly challenging.

According to the most recent Verizon Data Breach Investigations Report, in 2023, there was an increase of more than 200% in advanced attacks. The IBM Cost of a Data Breach report also pegged the average cleanup costs per incident at $US4.45 million.

This trend makes life particularly challenging for organisations that write their own software. They need to ensure their developers are aware of new threats and are taking new attack types into account when coding.

For this reason, taking the time to train development teams to consistently write secure code can pay huge dividends. It can help to eliminate vulnerabilities at the source and deny attackers any way to exploit code.

Indeed, according to data analysis of 75,000 developers undertaken by Secure Code Warrior, tasking them to become a first line of defence can reduce the number of vulnerabilities in committed code by up to 53%.

The benefits of agile training methods
Thankfully, most software developers want to learn about secure coding practices. Their motivation often comes from a desire to reduce the amount of reworking they need to do on vulnerabilities found by AppSec teams.

However, not all training is created equal. Writing code is a complex skill in an industry that is constantly innovating and changing. This means that traditional ‘check-the-box’-style training will do little to help developers improve their secure coding skills and even less to enhance an organisation’s ability to reduce vulnerabilities in code.

The most effective training methods should use the same agile methods that have proven so effective when writing code and which developers are already familiar with using. 

There are three key pillars for agile learning. They are:

  • Use a ‘microburst’ training approach:

To be most effective, training sessions should be bite-sized, contextual, and offered on an ongoing basis. This will allow developers to access the right training at the right time, in line with the security challenges they are facing.

  • Deliver dynamic content:

When it comes to cybersecurity, static training materials date very quickly and are rarely tailored to the education needs and workflows of developers. Agile learning tends to be much more palatable, especially when delivered in the environments, languages and frameworks developers see in their day job.

  • Add additional layers:

Once a development team has mastered the foundations of secure coding, their upskilling journey can continue into more advanced concepts. This can result in greater trust and access to more desirable projects once their secure coding skills have been assessed and verified.

According to a report by Gartner, by 2025, 70% of large enterprises will adopt agile learning approaches. There is significant potential in this shift to microlearning, continuous improvement, and building key knowledge that can be leveraged for safer software development.

As well as tapping into agile methods, training programs should also follow smart practices like defining desired success criteria, identifying and promoting security champions, incentivising developers who excel, and measuring and quantifying successes along the way.

Allocating sufficient training time
There is one more critical component that organisations need to invest in to ensure a successful training program: allocating time.

Even if developers are keen to learn about secure code, and even if you put a robust training program in place that relies on agile methods, organisations still need to ensure that it will not become an added burden placed on already overworked development teams.

Learning secure code requires time, study, and a safe place to make mistakes. Ideally, an organisation should set time aside during the work week to allow developers to train.

Whether focusing on a dedicated period of time devoted to education or carving out some time every week for ongoing security training, providing the opportunity for developers to study and learn about cybersecurity is vital.

While it may result in some deadlines needing to shift, reducing code-level vulnerabilities will lead to less reworking, streamlined development, and, most importantly, a much lower chance that attackers will be able to exploit code once it reaches the production environment.

By embracing agile learning and allocating sufficient time for developers to undertake the training, organisations will be better placed to withstand the constantly evolving threat landscape with which they are faced.