Coding bootcamps fill development seats fast—but the trade-off for speed is security. How do you fill the security training gaps in your developers’ education?
It’s no secret that the world of software development has been thrust into the spotlight recently. Tech startups are popping up in “innovation districts” in cities around the world. And single-product software giants are growing floor by floor in some of the nation’s most expensive high-rises. It’s easy to see the influence of software, and the importance of the people who develop it. Yet not all software is created equal, and no two developers share precisely the same aptitude for secure software development.
Coding bootcamps are increasing in popularity. They’re turning out fledgling developers at record rates and filling software development teams with capable coders. Yet many of these coding schools focus on training developers to create applications, rather than to secure them. They tend to emphasize a variety of coding languages, frameworks, and practices. By contrast, they offer only a cursory discussion of software weaknesses, vulnerabilities, and the attack vectors that leave them open for exploit. These full-stack coding bootcamps, separate from security bootcamps, represent a significant portion of new developer education.
In fact, many security bootcamps require a couple of years’ experience, or formal software-related education, for enrollment. These additional requirements to enroll in security bootcamps create a barrier to entry for the nascent developer who is likely to seek coding bootcamps for personal or professional development. Scenarios like these have led to a disproportionate abundance of eager developers, ill-equipped to surmount the high bar set for software security by regulations and compliance standards like GDPR, PCI DSS, HIPAA, and more.
As graduates of coding bootcamps join development teams, it’s imperative that the organizations that employ them understand the juxtaposition of art and science that makes up the developer mentality. All coders have their own styles. They prefer certain languages and frameworks. They have their favorite tools and processes. And they hold their own ideas of application security and secure coding practices. But as any scientist or engineer will tell you, too much variability in a system makes it difficult to identify potential points of weakness or failure.
Until secure software development practices are a staple of all coding bootcamps, enterprises must balance supporting developer creativity with a structured and uniform security training regimen. It’s the only way they can accurately identify shortcomings in their teams’ coding standards and practices.
To do this, many organizations are adopting security training at various levels: companywide training pertaining to attack vectors, data security, and compliance; software security training for developers and engineers; and language- or framework-specific training for specific development teams. By instituting controlled and relevant software security training across the organization, these companies establish a baseline metric for success. Consequently, they can more readily identify potential points of failure before a breach or application downtime can occur.
Steven Zimmerman is a Staff Product Marketing Manager for Synopsys Software Integrity Group, focusing on helping organizations establish a cohesive, resilient application security strategy with developers and software engineers built-in at critical stages. His work supports shift-left software security initiatives and DevSecOps, ensuring enterprise agility and continuous workflows without impeding development.