Software Integrity Blog


Critical gap in developer training puts applications at risk

As the builders of applications, developers are the frontline defense against security threats.   Unfortunately, most don’t have the training to make sure the code they create is secure.

As a result, their work may be riddled with vulnerabilities that open the door for hackers to access sensitive data and systems. If security scans identify bugs in their code, it is sent back to developers for additional work, which means delays and frustration for everyone involved.

Why the gap in developer training?

Developers like to “build.” They aren’t taught to “break.”

In part, developers don’t focus on security because their nature is that of a “builder,” not a “breaker.” Software development more closely resembles a creative endeavor than a rigorous engineering process.

A developer’s primary job is creating code with features that work—not worrying about what might go horribly wrong. They accomplish their task by combining known processes and procedures in innovative ways. In doing so, they focus on building strengths and fail to consider potential weaknesses.

Compare the mindset of developers to the iterative design process that engineers follow.

Take bridge construction, for example. We’ve built bridges for thousands of years. Over that time, many have failed.  When a bridge collapsed, engineers analyzed the failure and refined their model. They learned lessons from what didn’t work and shared their knowledge with others. Over time, the lessons learned have led engineers to build more stable, reliable bridges.

In contrast, we have only a short history with software security breaches. Therefore, most developers haven’t developed the rigor of building security into their code.

There’s no formalized structure for security training.

Typically, developers don’t focus on security because they have never been trained to do so.

For most software developers, security training is an afterthought. Programming classes focus on creating functionality, not preventing threats.  Many developers are self-taught and have little formalized training—let alone any security training.

For those developers who do receive security training, it’s typically inadequate. Security classes may be taught by instructors who are not well versed in the topic. For the purposes of illustration, they typically use code examples that are incomplete and don’t demonstrate the full scope of security issues.

What’s more, security threats are evolving rapidly. So, by the time developers need to apply the knowledge they learned in the classroom, the information may be out of date. Or, examples learned in class may not be in the language the developers are programming in for their future job.

Once they are in the workforce, most developers have few opportunities to train. Their time is expensive, and they are required to focus on creating unique functionality and getting applications out the door.

There’s a better approach to developer training.

Follow best practices for developer security training.

How can you ensure that your developers are well versed in secure development? Consider the following when looking for the best training program for your team:

  • Developers love a challenge. Developers are problem-solvers, so lectures won’t appeal to them nearly as much as hands-on exercises that allow them to solve real-life scenarios.
  • Make the courses relevant. Guidance, case studies, and examples should match the technology and platforms that the developers are currently using.
  • Use engaging demos. One way to capture developers’ attention is to use hacking demos. Not only will this strategy show them the mind-set they are up against, but it will also demonstrate the need for validating and sanitizing input and thinking through what might happen if something breaks.
  • Consider online training. Although less interactive than instructor-led training, e-learning courses allow developers to participate in training when they have time. E-learning may be ideally suited for teaching complex material that can be reviewed again and again if needed.
  • Provide incentives. Offering a reward for every course or series of courses completed can encourage developers to make time for training.

Filling in your developers’ knowledge gaps can pay huge dividends. After all, just 19 programming flaws are to blame for 95 percent of software bugs, according to Amit Yoran, the former Director of the Department of Homeland Security’s National Cyber Security Division.

With the right security training, you can ensure your developers get their code right the first time and save yourself a lot of time and effort.

Synopsys helps developers stay up-to-date with application security with both on-site and on-demand training.

Security Training for Developers

More by this author