HackDig : Dig high-quality web security articles for hacker

Is it The Right Time to Train Your Software Developers in Security?

2015-04-29 00:10

right-time-trainWhilst most organisations understand the need to improve their security, many take action in the wrong way. Despite spending hundreds of thousands of pounds on the latest security tools, they fail to meaningfully reduce the vulnerabilities, bugs and risks of their development projects.

Whilst the latest and greatest SaaS security tools are fantastic at identifying potential threats, they fail to address one of the main contributors: developer behaviour. In order to improve security in a meaningful and cost-effective way, your organisation’s first course of action needs to be developer security training.

Realising the Limitations of Security Tools

Security tools are designed to identify vulnerabilities, and prioritise the risks associated with each. Whilst individual line-of-code visibility is a hugely valuable security asset, successfully identifying risk isn’t the same as reducing risk.   

Security tools can be hugely expensive, and often require large amounts of time and manpower to implement within a large organisation.  In order to effectively use these tools, and interpret their findings, it’s commonplace for security and IT staff to require additional training, incurring an additional level of cost in the process.

The end-goal of this expense is to ensure that your security tool is working at optimum capacity, and identifying as many vulnerabilities as possible. Assuming that to be the case, you may find yourself inundated by thousands of vulnerabilities, each requiring some form of remediation. In many instances, solving these problems still requires some form of developer security training.

At this point, your organisation could easily have spent hundreds of thousands of pounds, only to find itself in the same position it started in: you know that you have security risks, but you aren’t able to solve them.

Security Starts with Developer Training

In order to reduce your security risks, it’s a better idea to start with developer security training, and invest in security tools when your developers understand the best practices of secure development.   

Many of the vulnerabilities identified by security tools are caused by simple security mistakes. By security training your developers from the outset, many of these vulnerabilities can eliminated early in the software development lifecycle. As well as reducing your organisation’s net risk, this will also improve the efficacy of any SaaS security tools you choose to deploy.

Security tools are designed to be as comprehensive as possible, and will detect all manner of vulnerabilities. Whilst some of these will be high-priority, many of them are simple developer errors that pose relatively little security risk (and some may even be false positives). These vulnerabilities can make it extremely difficult to identify the most serious threats, and with a laundry-list of vulnerabilities to remediate, can prevent developers from resolving them effectively.

Security training will reduce basic developer errors, and make it easier to identify and prioritise the most serious threats – potentially reducing vulnerabilities from an unapproachable list of a thousand, to a manageable and actionable workload of 20-30 high priority cases.

Earning the Best Return from Security

Organisational security is always a balancing act, between the costs of security measures, and the costs of vulnerabilities. It’s your job not just to improve security, and reduce risks, but to do so in the most cost-effective way. With that in mind, the crux of this argument is simple: you’ll have to implement developer training at some point, so it makes sense to do so when you’ll earn the biggest bang for your buck.

The overall cost of training secure developers is usually a fraction of the total cost of ownership associated with a SaaS security tool. As well as directly improving your security in the short- and long-term, investing in developer training from the outset will improve your eventual return on any security software purchases. In the process, you’ll be improving a developer’s skillset, and not hindering them with countless bugfixes - helping them to feel engaged and invested in security. biggest information security mistakes


Source: -srepoleved-erawtfos-ruoy-niart-ot-emit-thgir-eht-ti-si/golb/moc.eporuenoitavonniytiruces.www

Read:1776 | Comments:0 | Tags:No Tag

“Is it The Right Time to Train Your Software Developers in Security?”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud