Application security is facing a dilemma. Developers are in a continuous race against the clock to meet market demands and churn out new applications and features, meaning that the potential for security flaws to be introduced increases exponentially. The adoption of generative AI-based software in software development further complicates matters, challenging business leaders to keep cybersecurity issues in check. GitLab’s 2022 DevSecOps report found that 57% of organizations believe security is now a relevant metric for assessing developer performance, but 56% also noted that developers rarely prioritize fixing security problems. So, something needs to change. CISA recently called on the industry to take responsibility for secure products, and secure by design is a great aspiration, but how do we achieve it?
Chasing Tools Isn't the Answer
The good news is that application security starts and ends in the software development lifecycle (SDLC). It's a challenge that requires everyone's vigilance, but crucially, developers have a key role to play. Traditionally, the focus has been more about ‘shifting left’ or moving penetration testing and code scanning earlier on in the SDLC. However, this only presents half the picture and is not good enough. While scanning for vulnerabilities is certainly important, the main issue is that code scanning tools run the risk of large numbers of false positives, eventually leading to ‘alert fatigue’, where developers ignore any flaws flagged and therefore limit the effectiveness of this approach.
What is required is ensuring that more robust code is built right from the outset. However, the answer isn’t chasing even more tools to support developers in this quest, as this often leads to gaps in security. Tools should be considered safety nets, not solutions. A recent Enterprise Management Associates (EMA) study on secure coding practices found that out of 129 developers using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools.
The same study also revealed that as many as 70% of organizations are missing critical security steps in their SDLC. What is therefore required is a greater investment in developer education to ensure they can not only recognize key security principles and vulnerabilities but also apply this knowledge to novel situations to better secure applications, therefore becoming a more ‘diligent developer’. It can also reduce the burden on them further down the line by avoiding added pressure to patch at the last stage of development.
Last year it was revealed that 53% of developers have no professional secure coding training. Secure code training has been an oversight, with none of the top 50 U.S. undergraduate science computer programs requiring a course in code or application security. With workforces around the world struggling to fill the cybersecurity skills gap, it is vital organizations see continuous education as crucial in addressing constantly changing technology and market demands. In such a dynamic landscape of risk, a one-and-done approach simply doesn’t suffice.
Taking this one step further, this education should then also be extended beyond the realm of the developer to every member of the development team: from project management and UX specialists to QA, product management and beyond. Everyone involved in creating software should understand application security, so developers are better supported to write secure code. And, after all, they share a common goal with a common responsibility which is to support business growth securely.
Ultimately, organizations must get to a point where coding securely becomes a more lasting and ingrained habit and becomes part of the DNA of an organization. For example, development leaders who aren’t responsible for developing code but instead focus on accountability for developing applications with fewer vulnerabilities, for them an ingrained habit could be treating security features as "lifeboat" essentials before pushing code live.
There needs to be an industry-wide shift in mindset if we are to see any real change in the AppSec Dilemma, supported with continuous education - especially in an era where new critical vulnerabilities are revealed weekly, and cybercriminals are becoming increasingly sophisticated. Organizations should invest in regular educational programs to keep developers up to date on emerging threats, vulnerabilities, and secure coding practices. By staying informed and diligent about the latest security trends, and adopting a proactive approach to education, developers and teams can better anticipate and mitigate potential risks from the earliest stages of development.