Posted by Synopsys Editorial Team on June 18, 2015
As the builders of applications, developers are the frontline defense against security threats. Unfortunately, most don’t have the training to make sure the code they create is secure.
As a result, their work may be riddled with vulnerabilities that open the door for hackers to access sensitive data and systems. If security scans identify bugs in their code, it is sent back to developers for additional work, which means delays and frustration for everyone involved.
Why the gap in developer training?
In part, developers don’t focus on security because their nature is that of a “builder,” not a “breaker.” Software development more closely resembles a creative endeavor than a rigorous engineering process.
A developer’s primary job is creating code with features that work—not worrying about what might go horribly wrong. They accomplish their task by combining known processes and procedures in innovative ways. In doing so, they focus on building strengths and fail to consider potential weaknesses.
Compare the mindset of developers to the iterative design process that engineers follow.
Take bridge construction, for example. We’ve built bridges for thousands of years. Over that time, many have failed. When a bridge collapsed, engineers analyzed the failure and refined their model. They learned lessons from what didn’t work and shared their knowledge with others. Over time, the lessons learned have led engineers to build more stable, reliable bridges.
In contrast, we have only a short history with software security breaches. Therefore, most developers haven’t developed the rigor of building security into their code.
Typically, developers don’t focus on security because they have never been trained to do so.
For most software developers, security training is an afterthought. Programming classes focus on creating functionality, not preventing threats. Many developers are self-taught and have little formalized training—let alone any security training.
For those developers who do receive security training, it’s typically inadequate. Security classes may be taught by instructors who are not well versed in the topic. For the purposes of illustration, they typically use code examples that are incomplete and don’t demonstrate the full scope of security issues.
What’s more, security threats are evolving rapidly. So, by the time developers need to apply the knowledge they learned in the classroom, the information may be out of date. Or, examples learned in class may not be in the language the developers are programming in for their future job.
Once they are in the workforce, most developers have few opportunities to train. Their time is expensive, and they are required to focus on creating unique functionality and getting applications out the door.
There’s a better approach to developer training.
How can you ensure that your developers are well versed in secure development? Consider the following when looking for the best training program for your team:
Filling in your developers’ knowledge gaps can pay huge dividends. After all, just 19 programming flaws are to blame for 95 percent of software bugs, according to Amit Yoran, the former Director of the Department of Homeland Security’s National Cyber Security Division.
With the right security training, you can ensure your developers get their code right the first time and save yourself a lot of time and effort.
Synopsys helps developers stay up-to-date with application security with both on-site and on-demand training.
Get the latest Software Integrity news, thought leadership, and more.