Why Developers Don’t Know Security

May 4, 2015

We have a fundamental problem in the way we develop software. A large percentage of software is created by people who were never trained on the basics of security. If they know security concepts, it likely occured after writing many, many lines of code.

It’s not that they don’t want to write secure code. It’s most likely that no one has told them what secure code is. Let’s walk through the career of our example developer.

Higher Education

Most developers receive some form of degree. While developers of the future may opt for online learning instead of a formal education, nothing yet points to where someone who is developing code learns security.

Most schools and colleges offer a variety of programming languages as well as courses in architecture, availability, scalability, etc. But very few offer courses in how to write secure code.

My employer, Cigital, is a big proponent of teaching security in college. But that effort is one professor at a time. Even when colleges do teach security, it’s usually an elective.

Our example person graduates college without formal courses in security.

First Job

Fresh out of school, our example person picks up a job at a random big company. Many big companies subscribe to computer based training and they may have the option or be forced to take a developing securely course. (Cigital calls this course Foundations of Software Security.)

Our example person is 23 years old at this point and clicks next throughout the whole training hoping to get to the end quickly before lunch. No information is retained.

Now they’re writing code. Somewhere in the corporate cloud, that code may be tested for vulnerabilies (let’s hope). Even if the company finds vulnerabilities in our example person’s code, it’s rare that the same developer fixes the code they wrote.

So our example developer keeps writing the same insecure code. It’s not that he/she wants to. They just don’t know any better.

Tech Lead

By the time our example developer gets to be a Tech Lead, there is a higher likelihood that they’ll get to interact with the corporate security team and see the results of the security testing. For some, the epiphany happens here. They need to start learning security.

Culturally though, something else often happens. Historically, security people have grown up through infrastructure. They are servers, firewalls, and network people. They don’t write code. So what happens when an infrastructure person tells a developer how to fix their code? It doesn’t go over too well.

And the epiphany doesn’t come to our example developer.

The Startup

The Startup may be our developers lucky day. Since the team is so small, there is a higher likelihood that our example developer would see any security issues in their code. But, it’s also less likely that the startup will be routinely testing their code for security issues.

Epiphany

At some point in this process, I hope our example developer takes the initiative to learn security. This could be through a corporate sponsored training, on-the-job mentoring, or learning outside of work.

A good developer would encourage others to learn security as well.

What Needs to Change

For the story above to turn out differently, a couple of key changes need to occur:

  1. We need to teach security to beginning developers. Whether in college or as part of bringing on new developers to a company, everyone should understand the basics of secure development.
  2. We need more developers to move from the development organization to the security organization. That way when security issues are found, they are being communicated by a developer to a developer.
  3. We need to reward secure development not penalize insecure development. Does any company report on the percentage of secure code being delivered? No. They report on the number of security issues found.

This is why I blog

There are many learning gaps in the information security field today. People are struggling to move up within the information security organization and non-security people can’t find their way into the security field. One of the areas I plan to focus on is helping developers find their way into the security field. The impact of one developer writing, leading, and mentoring security will be hugely impactful.

[optin_box style=”19” alignment=”center” email_field=”email” email_default=”Enter your email address” integration_type=”mailchimp” welcome_email=”Y” thank_you_page=”https://www.jayschulman.com/developer-thankyou" list=”fa9c1b51c4” name_default=”Enter your first name” name_required=”Y”][optin_box_field name=”headline”]Are You A Developer?[/optin_box_field][optin_box_field name=”paragraph”]PHA+U2lnbiB1cCB0b2RheSB0byBzdGFydCBvciBjb250aW51ZSBsZWFybmluZyBhYm91dCBzZWN1cml0eS4gwqBZb3UnbGwgcmVjZWl2ZSBpbmZvcm1hdGlvbiBzZWN1cml0eSB0aXBzLCBjYXJlZXIgYWR2aWNlLCBhbmQgbXkgd2Vla2x5IHNlY3VyaXR5IGxvbmdyZWFkcyBuZXdzbGV0dGVyIHRvIGhlbHAgeW91IGtlZXAgdXAgYW5kIGxlYXJuIGFib3V0IHRoZSBsYXRlc3QgaW4gaW5mb3JtYXRpb24gc2VjdXJpdHkuPC9wPgo=[/optin_box_field][optin_box_field name=”privacy”]We value your privacy and would never spam you[/optin_box_field][optin_box_field name=”top_color”]undefined[/optin_box_field][optin_box_button type=”0” button_below=”Y”]Start Learning[/optin_box_button] [/optin_box]