Secure coding training isn’t required in most computer science programs. How can you fill the gaps in your developers’ education without slowing them down?
Organizations seeking to curb the risks of an ever-expanding attack surface need to take a hard look at their application security practices. According to Forrester’s Show, Don’t Tell, Your Developers How to Write Secure Code, 73% of security decision-makers in organizations with more than 1,000 employees say improving application security capabilities and services is a top or critical priority. This isn’t surprising, considering another Forrester survey found that the two top causes of security breaches were direct attacks on web applications and taking advantage of exploitable software vulnerabilities.
There are a few different ways to address risks at the application layer. Most people think of application security tools as the solution to identify vulnerabilities so developers can fix them. It’s true that organizations can and should use application security solutions to identify security issues. But they can also slow down development processes and won’t find everything.
Another way to reduce security issues in the application layer is to avoid introducing them in the first place. Of course, no developer can commit perfect code every time. But organizations can take steps to train developers in secure coding practices. Development training can help teams produce more secure code the first time around. As a result, they won’t have to fix long lists of issues found by code analysis tools.
Why are organizations on the hook to train their developers? Shouldn’t that be part of the price they pay for their developers? Not really. The Forrester report on coding found that none of the top five international schools for computer science require secure coding or secure application design as part of their course requirements. That being said, there are still good reasons why organizations may be hesitant to invest in secure coding training.
Developers are expensive—especially when they’re not coding. It’s not easy to ask developers to stop working to spend time in a classroom or on an e-learning solution. Teams need to find ways to provide developers with the means to improve their secure coding techniques without slowing them down.
Code Sight™ and Seeker® are Synopsys products that look at code in different ways to find security weaknesses or vulnerabilities. Through its integrations with both these products, Synopsys eLearning recommends courses based on the issues the products identify. These courses allow developers to learn more about the issues most relevant to them.
The eLearning integrations also provide short snippets of eLearning courses. Each course snippet focuses on a particular issue. That way, developers can get the information they need now and quickly get back to coding. By integrating secure coding training into the development experience, Synopsys helps developers learn at their own pace, when it makes the most sense for them.
Code Sight is an IDE plugin that examines code as developers are writing it, using the Coverity static analysis engine. Developers get on-the-fly feedback on the security of their code. With the Code Sight eLearning integration, developers get secure coding training on current issues right in their IDE.
Seeker is an interactive application security testing (IAST) solution that identifies, verifies, and triages security vulnerabilities in web applications. Seeker drops into CI/CD pipelines rather than integrating into the IDE. So developers can access eLearning course snippets during the triage and remediation process. These course snippets make it easy for them to learn more about the issues that Seeker finds.