On June 11, 2019, the National Institute of Standards & Technology (NIST) released an updated white paper, detailing several action plans (https://csrc.nist.gov) for reducing software vulnerabilities and cyber-risk. In the paper, titled “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF),” NIST provided organizations with solid guidelines to avoid the nasty—not to mention expensive—consequences of a data breach.
It is important to note that the SSDF is deliberately generic; it does not assume every organization has the exact same software security goals, nor does it prescribe an exact mechanism for achieving them. The main objective is implementing security best practices. As stated by the writer, Donna Dodson, “While the desire is for each security producer to follow all applicable practices, the expectation is that the degree to which each practice is implemented will vary based on the producer’s security assumptions. The practices provide flexibility for implementers, but they are also clear to avoid leaving too much open to interpretation.”
Of particular note were the specific inclusions around software security training for developers. We have known for a long time that developers need adequate training if they are to defend an organization from the very beginning of the software development process … but what is adequate, exactly? There are a lot of differing opinions out there. However, the envelope is finally being pushed in a direction that will ignite significant positive results.
There’s Security Training … And There’s Effective Security Training
There is a need for software security training to be more effectively implemented, engaged with, and tailored to the needs of the developer. Even now, in many organizations, it’s a “check-the-box” exercise at best. Perhaps there are a few hours of video training or even time spent on some classroom-based learning. The fact that there are large-scale data breaches every other day, perpetrated by attackers who are exploiting well-known (and usually, easily fixed) vulnerabilities, is evidence that software security training isn’t anywhere near as effective as it needs to be. And, perhaps most importantly, there is very little in place to verify whether the training was effective at all: Are vulnerabilities being fixed faster? Are vulnerabilities being reduced in code? Have people actually completed the training, or have they just clicked “next” to power through it?
Developers are busy people, working hard to deliver to strict deadlines. Security is an inconvenience a lot of the time, and rarely are they equipped with the knowledge during their education to successfully mitigate cyber-risk. The word “security” usually comes up when a member of the AppSec team is pointing out flaws in developers’ work, making for a rather cold and dysfunctional relationship. It’s a “Your baby is ugly—go fix it” scenario.
What does this tell us? It’s a decades-old red flag that we are not doing enough to win developers over on security. They are not motivated to take responsibility or to seek out the tools they need to create software that is functional, yet made with security best practices in mind.
Developers are clever, creative, and love to solve problems. It is quite unlikely that watching endless videos on security vulnerabilities is going to excite them or help them remain engaged. In my time as a SANS information security instructor, I learned very quickly that the best training is hands-on, forcing them to analyze and be challenged intellectually, using real-world examples that test their brain and build on prior learnings. Gamification and friendly competition are also powerful tools to get everyone on board with new concepts that are useful and practical in application.
NIST’s guidelines specify the following: “Provide role-specific training for all personnel in roles with responsibilities that contribute to secure development. Periodically review role-specific training and update it as needed.” And later: “Define roles and responsibilities for cybersecurity staff, security champions, senior management, software developers, product owners, and others involved in the SDLC [software development life cycle].”
This statement, while not specific on the type of training, is still helping to keep security best practices top-of-mind. It is putting the onus of finding effective and specific training solutions back on the company, and this will hopefully result in developers being armed with the right tools and knowledge to succeed.
Culture: The Missing Link
Even if an organization is putting time and resources into training developers and other key staff members, and placing emphasis on their roles in preventing vulnerabilities and reducing security risk, the effort can often go to waste if the security culture of an organization remains fundamentally broken.