Share this article on:
As businesses continue their strategies of digital transformation to improve efficiency and drive growth, one area that remains particularly challenging is cyber security.
Faced with the continuing evolution of threats and an increase in the number of attacks, it can be tough to maintain effective protection for core IT resources and users.
It is easy for the public to assume that every business has a robust cyber security program and that protection is just a matter of selecting the right software and activating it like a force field to stop threat actors in their tracks. With 2022 being one of the worst years on record for cyber security incidents, many security professionals can only wish it were that simple.
While many industries — especially in the financial sector — are compliance-driven and bound by increasingly complex regulatory frameworks that demand strict security measures, the reality is that most organisations lack true cyber resilience. Research shows that more than half of large companies worldwide are not effective in stopping cyber attacks, nor are they finding and fixing exploited vulnerabilities quickly.
Even organisations considered advanced — with a defined, mature program encompassing a best practice triple threat of people, processes, and technologies — can struggle to keep up with the fast-paced demands of the threat landscape.
The role of developers
One critical area in which many companies fall short is role-based security awareness, especially for the software development team. While every person in an organisation must understand the role they play in reducing the attack surface, those who are wrangling code day in, day out could be in the driver’s seat of a genuinely transformational approach to security if only they were adequately upskilled.
A holistic, defensive security program demands continuous improvement, and it requires careful attention to laying solid foundations. If those foundations are predominantly tools-based, chances are good that maturity levels are lower than security leaders are banking on.
A study by the Ponemon Institute revealed that 53 per cent of enterprises were not confident that their security tech stack could effectively stop breaches. With human error continuing to be a leading cause of successful cyber attacks on companies, great and small, leaving developers out of a strategic security uplift is playing with fire.
Why developers can lead the push for more secure software
The uncomfortable truth surrounding cyber attacks is that, in almost every instance, attackers are at a distinct advantage over their target enterprises, no matter where they are in their security maturity journeys. Attackers have the time, tools, and motivation to meticulously scan for any weakness to exploit, dedicating themselves to breaking through and reaching pay dirt.
Organisations, on the other hand, are juggling business and customer needs. While they can’t afford the immense risk of a show-stopping cyber attack, it is not practical for business operations to slow to a crawl in order to accommodate an abundance of security controls that may end up obstructing performance. This is where security-skilled developers represent an X factor in cyber defence outcomes.
Traditionally, developers have not been enabled to share the responsibility for security in a meaningful way. This can and must change. Organisations can create viable upskilling pathways for the development cohort, but they need to select education options that deliver relevant course material in ways that make sense in their world. At a minimum, information should be conveyed in the languages and frameworks developers actively use. It should also address the vulnerabilities they are most likely to encounter in their codebases.
When courses are structured with the developer’s workflow in mind, there is a far greater likelihood that the poor coding patterns that perpetuate common vulnerabilities and misconfigurations can be replaced with good, safe patterns that significantly increase software quality over time.
Creating a more secure environment is the responsibility of everyone in an organisation. However, because of the critical role they play, developers are very much front and centre. Consider how your development team can play a bigger role in achieving effective software security.
Matias Madou is the chief technology officer and co-founder of Secure Code Warrior.