AppSec’s Secret Weapon to Improve Security Culture and Engagement

Recently, Australian banks have been taking charge of their global influence to develop strong security mindsets among their employees responsible for developing software. According to Pieter Danhieux, co-founder of Secure Code Warrior, five out of Australia’s top six banks are actively engaging their developers to build secure coding skills through online, self-paced, gamified learning environments. Banks are further reviewing real-time metrics and reporting to their decision-making leaders to verify the strengths and weaknesses of their developers and teams.

Matias Madou, CTO, Director and Co-Founder of Secure Code Warrior, stresses the importance of hands-on software security practices. Companies can ensure a positive and effective application security (AppSec) culture within their organization by guaranteeing developers get the appropriate training they need to write secure code right from the start. “Normally, from the developer perspective, they don’t always get the training they need. It’s critical to implement platforms that are overlaid with gamification elements, so that it is fun and engaging for the developer when he or she is taking the training. Traditional and old-school training is just video-based and encompasses fairly boring material. A more modern platform challenges the developer to try to solve and learn about application security. A system that incorporates achievements and levels, like belting and badges, further guarantees developers come out of their training with all the tools they need to code securely,” Madou says.

It’s important to note that gamification will not function as a miracle if there is no substance to your platform, Madou notes. “You have to have substance to your platform. For instance, at Secure Code Warrior, we have more than 3,000 coding exercises that challenge developers. Secondly, to make those exercises engaging, a world map where developers locate themselves, and have to defend against threats is another way to make exercises engaging. There are many elements for the developers to relate to the cause they are assigned. Once developers start solving the coding exercises, they get points and they are able to compare themselves to other developers in their organization. This further challenges them and provides a fun environment for them to harness their coding skills.”

Secure Code Warrior, for example, is guaranteeing developers enjoy the learning process by implementing tournaments, hosted quite frequently. At the end of each tournament, the victorious developer gets a prize, such as a drone, t-shirt and more. “Through all of these mechanisms, AppSec leaders can ensure that they are enabling their developers to actively learn through fun and engaging processes,” Madou says. “At the time, developers learn about an application security culture and how to apply what they have learned in their day-to-day jobs.”

The first step to establishing a positive AppSec culture is to train developers for the job they will be performing. “It does not make sense to train a developer in Java, for example, if they are writing in Python,” Madou notes. Although they are not opposites, they are different languages. Where Java is statically typed and comfortable with its use of braces and semicolons, Python is a dynamically typed language that uses syntactically-significant whitespace. “Relevant training is what the developer can relate to in their daily responsibilities. If a developer will be writing Cobalt code, then train them in COBOL.”

There are many benefits of having a positive application security culture within your organization, notes Madou. “Usually, the industry focus is simply on finding vulnerabilities, rather than fixing or preventing. If you ensure that developers obtain the education they need to write secure code, that will empower organizations to have a first line of defense if there are any looming threats. Furthermore, you are enabling developers to work faster, and more efficiently, successfully preventing or mitigating any financial damages associated with any vulnerabilities that root from insecure code.”

Ultimately, a major benefit of having an AppSec culture is the ability to mitigate and prevent costly data breaches. “In application security right now, we teach developers how to write secure code. What organizations are attempting to do is protect code by adding additional code on that same code. What organizations need to do is go to the source of the problem,” Madou suggests.

When asked if human error is part of data breaches, Madou says, “Developers want to do the right thing. Except, they don’t know how. Universities teach them how to think and design code; however, security is briefly touched on. It’s not about writing secure apps, it’s about encryption. Ultimately, leading developers to introduce problems without their knowledge. This is why it’s important to have developers focus on training first.”

Quite often, developers face challenges when it comes to their organizations, as companies do not place application security as a priority. “The challenge is that organizations have to support these initiatives. They have to say, “Yes, security is important within our organization,” Madou says.

Finally, there is good news. According to Madou, there are more companies placing security as their top most priority. This comes as no surprise, or rather, an expected initiative as data breaches are at a record-high. A new report from Juniper Research found that the cost of data breaches will rise from $3 trillion each year to more than $5 trillion in 2024, an average annual growth of 11 percent, primarily driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?