SecDevOps is hindering developers who are keen on Agile but inadequate at security

Developer-focused education crucial as pen-testers find the same application security problems, over and over again

Efforts to improve software-development speed are conflicting with the need for better security in regulated industry sectors like banking and telecommunications, a penetration-testing expert has warned while working to build more engaging ways of teaching security to developers that are more focused on Agile than on writing secure code.

“Agile is becoming really popular because of its ability to let developers write something today that goes online tomorrow,” Pieter Danhieux, a cybersecurity expert and SANS Institute certified instructor who is finding strong support for his Secure Code Warrior (SCW) online security-training platform, told CSO Australia.

“But these organisations really feel the pain of cybersecurity, because in a classical model security slows them down: developers don’t have those skills, and need to call on a centralised group of security people.”

With the goal of implementing a ‘SecDevOps’ style of operationalised security, centralised groups of security experts have been recently introduced at organisations like Telstra, which last year rolled out a ‘Secure Code’ team whose sole purpose is to find bugs in code written by other units across the telecommunications giant.

Such teams already have their hands full: a recent Veracode report found that 61 percent of all internally developed applications failed basis compliance tests when measured against the OWASP Top 10 list. Even more concerning: commercially-developed software was even less secure, failing compliance checks 75 percent of the time.

Danhieux believes companies need to engage more directly, and regularly, with their developers to build and maintain the kind of SecDevOps mentality that will stop interfering with the nimbleness that lies at the heart of Agile development.

“We firmly believe that those skills should be part of the developer’s training,” he said, “and that when he is developing code he is confident enough to push it online without much security checking because he already has that knowledge built in.”

SCW – an Australia-based startup that in 2015 began offering online learning tutorials designed to engage developers – now employs 21 people and claims customers in 9 countries. The firm has seen a strong reception from the financial-services industry, with telecommunications and technology firms more recently coming aboard.

All, Danhieux says, are struggling to meet the burden of compliance whilst innovating quickly enough to keep up with aggressive and intensifying competition for customers and the online services they demand.

Many companies have been increasing their spend on regular security testing, with Gartner recently forecasting that interactive application security testing (IAST) spend would lead “fast growth” in spending through 2021 as enterprises push back against continued data breaches.

Yet improving developers’ security skills had become particularly important even in organisations where companies were increasing the frequency and nature of their penetration-testing exercises – which have been shown to have their own limitations.

“If you ask a pen-tester to fix things, they won’t be able to do it,” explains Danhieux, a former pen-tester who founded the company after “getting frustrated with the fact that we were finding the same software weaknesses in every organisation, every time we did the test.”

He levelled some of the blame for poor developer security at university training courses – a sentiment shared by many – with developers taught how to build applications but very little about how to protect them.

“Nobody really explains to developers what is good code or bad code,” Danhieux said. “They don’t know what you can use and can’t use.”

SCW has eschewed conventional slide-based training, instead focusing on building “recognisable and real-world”, industry-relevant scenarios where developers can hone their skills.

Early work with financial-services firms helped the company develop and refine its cybersecurity training, and it is now developing additional content – in new languages and subject-matter areas – to better service technology and telecommunications customers. Embedded analytics and visualisation tools help customer organisations get a clear view of how well-developed their developers’ security skills are – and where they are falling far short of compliance or best-practice requirements.

“Organisations want to know what skills sets are in their teams,” Danhieux said, noting that many companies also use the reporting features to track the capabilities of their external suppliers. “Working with some of our early adopter clients allowed us to refine the concepts of how we train people. These companies are using the same programming stacks, and they have the same challenges.”