Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsCyber ProductsSecurity Enterprise Services

Don't Shift Left, Start Left: Why Developers Should Be the First Line of Defense

By Maria Henriquez
code-enews
October 29, 2019

In a recent Security webinar, How You Can Turn Security Training and Awareness into Action, Pieter Danhieux, Co-Founder and CEO of Secure Code Warrior, says there are 111 billion lines of code written by an estimated 22 million developers every year. “Building code is like building a house. If you do everything well, you end up with a beautiful, modern and secure house,” says Danhieux.

Recent headlines, such as the Imperva data breach, have proven that not writing secure code in security applications can land enterprises in a similar situation. “We’re making the same vulnerabilities over and over again,” says Danhieux. “We’re in a situation where we know all the vulnerabilities out there, and we need to break out of that dangerous cycle of writing insecure codes.”

Danhieux attributes data breaches to three things:

  1. Society’s demand for software is growing faster than security knowledge distribution and skills.
  2. There is no emphasis on building a culture of security awareness.
  3. Many vulnerabilities (and their remedies) have existed for decades, but coders are still introducing them into modern software. 

He says, “The current approach isn’t working…and it hasn’t for a long time.” However, one of the things enterprises need to address, he says, is that developers should be the first line of defense. 

Current application security tools focus on moving from right to left in the Software Development Life Cycle (SDLC), notes Danhieux, which usually result in: 

  • Finding problems and pointing them out – a situation that pits security teams against developers. 
  • Detection and reaction (as in, finding vulnerabilities in the written code and reacting to fix them) is unproductive and far more costly than fixing insecure code in the beginning. 

So what does it mean to start left, and why should your enterprise not shift left, but start left? 

Starting left is thinking and acting with a secure code mindset, says Steve Allor, Director of the Americas, Secure Code Warrior. “Starting left is arming and enabling developers to write better and secure codes tomorrow.” 

Traditionally, says Allor, the line of defense is:

  • The application scanning threat is implemented in the SDLC where code has been architected, designed and written. 
  • It is then checked for a variety of risks or defects associated with security and other quality metrics to determine which ones are low-risk vs. high-risk, and which ones can be resolved before the software can be put into production.

This is time-consuming, and far more costly, says Allor. “Statistics show that developers continue to make the same mistakes because they do not know how to fix vulnerabilities,” he notes. 

According to Secure Code Warrior, 85 percent of exploited vulnerabilities are attributed to just 10 known vulnerabilities. The Open Web Application Security Project (OWASP) Top 10 vulnerabilities enterprises face due to application security weaknesses are: 

  1. Injection 
  2. Broken Authentication 
  3. Sensitive Data Exposure 
  4. XML External Entities 
  5. Broken Access Control
  6. Security Misconfiguration 
  7. Cross-Site Scripting 
  8. Insecure Deserialization 
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring 

“The challenge is finding a way to enable the developer to learn how to avoid creating these vulnerabilities in a time and resource-constrained industry. That’s why it’s important to implement a security culture where developers are the first line of defense,” says Allor. 

Why Developers Should Be the First Line of Defense

“We are in a world that gets more digital every day, which means more software is driving commerce, business transactions and everything we do. With that comes risk,” says Allor. “The organizations that have implemented security controls are trying to find vulnerabilities and trying to fix them.”

While attempting to find and fix vulnerabilities, enterprises are also trying to balance the competitive pressures to stay ahead of the marketplace and continuously innovate, he notes. “CTOs and CIOs are being pressured to release more functionality quickly in order for their enterprises to stay ahead of the competition in a digital landscape. Business slows down every time enterprises try to find and resolve the vulnerability while balancing risk.”

Overall, Allor says, if enterprises help developers write secure code from the start, they ultimately create the most time because they can release more software more quickly with fewer imperfections, leading to less rework and more time to balance competitive pressures. “Developers are able to effect and change the outcome of application security risk and profile within an enterprise when they are the first line of defense. They help enterprises create success in their digital strategy as they are able to create more secure software that is released more quickly.”

In combination with developers, there are many pillars enterprises should employ in their defense, Allor says. “Every enterprise should ensure every individual maintains a level of security awareness to ensure they are helping protect their own assets, as well as the assets they manage on behalf of the business.” Security awareness programs, notes Allor, include anti-phishing campaigns, strong password protection, building security policies and many more. “They are a critical component of de-risking an enterprise’s overall strategy.”

Training Helps! 

“A third of the cyber risk is a result of application security vulnerabilities. We know what the fixes and issues are for 80 to 90 percent of the vulnerabilities exploited. What the industry hasn’t improved yet is how to create a scalable way to teach developers how to avoid these mistakes, in a very hands-on, learn-as-you-go type of training that enables enterprises to move to a prevention-oriented posture,” says Allor. 

Enter Secure Code Warrior. “Our approach is to mirror how a developer learns, which is through experiential learning. When you ask a developer how they learned to write their code, the answer is typically ‘on the job, from a friend or through experimentation.’ Being able to replicate that hands-on applied learning in their specific language and framework helps meet the developer in ways that they understand and helps them improve their code,” he says.  

Secure Code Warrior focuses on delivering a Software as a Service (SaaS) platform that creates a hands-on, interactive language and framework to engage the developer in their learning process and enable an enterprise with the tools and modules they need to implement a continuous learning process, notes Allor. “Having a continuous learning program ultimately leads enterprises to drive and reinforce the techniques, so that developers become more familiar with these skills.”

“We have a training mode that engages the developer in a self-paced way to progressing their language and frameworks,” says Allor. “During the training, they are challenged with locating, identifying and fixing the vulnerabilities, thus creating exposure and security application awareness. It also helps them learn and understand the many ways to avoid these vulnerabilities. Developers learn that writing secure code is attainable, as well,” he says. 

In addition, Secure Code Warrior has a tournament that enterprises can use to create incentives, recognitions and awards to make security fun, with a “backdrop of learning that helps developers flex the application security or secure coding ‘muscle’ throughout that tournament,” he says. “The tournament contains an assessment engine that allows enterprises to implement belting systems, as well. The assessment tool enables enterprises to verify if that individual is learning to a level of proficiency they need to compliment other metrics, such as the ultimate reduction and the number of vulnerabilities found in the overall scanning process in their applications.”

Overall, Secure Code Warrior tries to enable developers with a tangible and real way to experience and understand known vulnerabilities such as OWASP Top 10, to hone their skills “while allowing an enterprise to help lead and guide a security application culture,” says Allor. “It aids in reinforcing the importance of application security skills that help developers be the first line of defense and add value to the enterprise and the marketplace. Ultimately, enterprises achieve its goals to minimize risk, while continuing to drive and increase success in their digital strategy.”

KEYWORDS: application security authentication data breaches security training

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cloud-enews

    Why security must be shifted left in a cloud-first strategy

    See More
  • security-buzzwordsfp1170x658.jpg

    Shift left: Beyond the cybersecurity buzzword

    See More
  • Understanding the Distinct and Dependent Roles of Data, Privacy and Cybersecurity Professionals

    Liberating network management: Your first line of cyber defense

    See More

Events

View AllSubmit An Event
  • November 14, 2024

    Best Practices for Integrating AI Responsibly

    ON DEMAND: Discover how artificial intelligence is reshaping the business landscape. AI holds immense potential to revolutionize industries, but with it comes complex questions about its risks and rewards.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing