Saturday, January 15, 2022

2 Brand New Ways To Train A Cyber Newbie In Secure Coding

 


The issue of the lack of workers in the Cybersecurity field is going to be one that plagues 2022 probably even more so than last year.  With more sophisticated threats coming out day by day, companies need to hire workers quickly in order to come up to speed. 

As I have said before, its not there are not enough people to fill these jobs.  It’s just that companies want that cookie cutter Cyber consultant with every cert under the belt.

The problem here is that nobody wants to train these much younger candidates, even if it means on the job training.  There are many job titles which need to be filled, and now there is a new one that has just cropped up:  The need for software developers that know how to write secure code.

One would think that a recent graduate from a reputable computer science program would be taught in their courses in the principles of how to write some baseline level of secure code. 

But very often they are not, and the culprit here are the computer science professors themselves.  Rather than devoting to quality instruction, many of them just want to do their research.

Which is fine of course, if that is what they choose.  But critics have pointed out that if a professor is assigned to teach a computer science in programming, then they owe it professionally to their students to spend some of that time in teaching the students how to write secure code. 

Because of this, it has been found that at least 76% of all applications by software developers have experienced at least one major security flaw.  More information about this can be seen at this link:

https://www.veracode.com/state-of-software-security-report

From this report, there are other factors that have been cited as to why there is no training in this regard at the collegiate level:

*Professors simply do not know anything about secure software coding principles;

*If they do know something about it, their focus is more on protection rather than teaching as to how a Cyberattacker can actually manipulate a Web app and break in from the weakest point, such as that of a Trojan Horse, or a SQL Injection Attack, as examples.

The study (from the link above) also concluded that as much as there is a gap between the unrealistic cookie cutter job descriptions and the candidates that are out there, there is also a gap that exists between academia and the real world of Cybersecurity.  But the latter is an issue for an article at later point in time.

So what can be done to resolve the problem that we have now, which is the lack of software developers that have some basic training in secure coding?  Here are some ideas:

1)     Train ‘em:

If you have found a candidate fresh out of college with hardly any training in secure software coding, and if they are excited and you think they have potential, snag ‘em up.  Train them in the ways that you think secure coding should be done, and if you don’t know much about this, then get somebody from your IT Security team to get heavily involved in the early stages of this training to the newbie.  By showing that you are taking this extra time for training, not only will the newbie be more motivated to learn, but there will probably be a much higher chance that they will be loyal employees, and stick around with you for the long haul (this is also another problem that the Cyber industry is having – employees bailing ship for a higher paying job).  But, keep in mind, try to keep this training exciting to some degree.  Don’t make into some boring college lecture.  Use the same principles that you have adopted to create a great Security Awareness Training program and use them here as well.  Now, this is all in house training.  You may even want to supplement this with training from outside vendors, just as a way to add more mix to the flavor.  But above all, try to keep this training with real instruction, to make it more interactive.  Just don’t make the whole training program based on some computer modules.

2)     Think long term:

The CISOs in Corporate America are under constant pressure, and that vise is closing in tightly every day, making them reach their mental breaking points quickly.  Oen of the pressures they face is that they need to get software development projects off to the client in the expected time of delivery, for the sheer reason so that they will make payment on it.  Because of that, the excuse is often made that they cannot afford the time to train newbies in this aspect.  But here is where the risk versus reward tradeoff comes into play.  Yes, there is risk that the project could slow down, but guess what?  That cost pales in comparison to the cost if a major security breach were to happen to that project you deliver.  The client is going to point their fingers directly at you, and you could even possibly face a lawsuit.  Now, if you just could have taken some time to train that newbie in how to write secure code, there is a good chance that all of this could have been avoided. And if it comes to the point where you hired a couple of new developers, and you also got a new project handed down to you, try to bake in that extra training time into the deadline of the project.

My Thoughts On This:

Yes, it all goes back to the same issue as I have mentioned before:  Companies will never find that cookie cutter job candidate, and if they do, there is no guarantee that they will even be the right fit for the job when they start. 

Recruiters are simply basing their expectations on what they put on paper, not what could potentially happen in the new world. 

So take the risk, and hire that newbie.  There is really nothing to lose, and IMHO, the benefits far exceed the costs of doing this.  But keep in mind also that your experienced developers will have to be at the forefront of the latest secure coding practices as well. 

So make the training fun, and make it competitive so that everybody will in the end:  You, the CISO, your employees, and your clients.

In the end, it has been cited that there is a Cyberattack that occurs every 39 seconds to a Web based app, the cost of malicious data exfiltration will far surpass the $424 million mark from last year.  Try not to be part of these stats, by simply training your team.

No comments:

Post a Comment

Here Comes 2025: The Major Cyber Threats To Happen

  Ok, here we   go, as we fast approach now into 2025, here are the predictions as what the major Threat Variants and Attack Vectors will be...