Secure coding education must foreground ongoing training

Image by Austin Distel from Unsplash

Just as doctors learn valuable lessons while in residency and treating patients alongside other doctors, software developers learn how to best recognize and remediate a vulnerability in code when faced with real-life problems.

Nowadays, web developers are expected to write 100 times more code than just 10 years ago, but developers are held to high security standards and quick go-to-market speeds.

The way secure coding is taught in universities doesn’t suffice. The cyberattacks that both users and organizations face each and every day imply that the approach to preventing vulnerabilities needs to change — and fast.

With just about everything being run by software, cyberattacks from vulnerabilities in code have come to fruition at an alarming rate. Programming is not a simple trade to teach — the field includes so much specialization with different languages and technology areas. What needs to accompany the curriculum is exposure to real-life scenarios where threat actors have been successful. After all, vulnerabilities can get very specific to a programming language and/or the platform that code runs on (i.e., webserver or database software). Thus, software developers can focus on those specific areas.

Most companies with mature development organizations already have internal training in place for new hires to ensure they know and adhere to the company’s coding standards — how to organize code, how to comment, specific syntax for things in a given programming language, etc. A lot of these coding standards are preferences, rather than strict rules that must be followed. However, ongoing training is a critical technique that must accompany these organization-specific policies. Training that incentivizes continual exposure to examples of successfully exploited vulnerabilities and how to prevent them can help software developers keep security top of mind.

Given the fact that too few developers understand coding for security, it is imperative for the industry to push for the following three improvements to ensure the advancement of initial education as well as the continuous learning aspect following graduation:

Inject specific, real-life vulnerability training into academia.
Create clear incentives for developers to continually learn how threat actors think and examine code.
Obtain commitments from C-level management to embrace security culture and ensure it is embedded in the Software Development Lifecycle (SDLC).

Today’s higher education software engineering curriculum is not preparing developers to create secure applications. Students must gain experience from real-life examples, learning to think like a threat actor and how to prevent the vulnerability in the first place.

Just like doctors, they need to continuously learn new technologies and practices to ensure secure code. Patients appreciate and seek out those doctors who emphasize their ongoing training at preventing illness — and users and organizations will undoubtedly and similarly praise development teams that secure the vast quantity of software-based tools all of us use in our daily lives.

Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Push-to-Talk over Cellular (PoC) is today’s Nextel radio network with nationwide voice, text, and video calling that can be quickly deployed with no infrastructure costs.

Secure coding education must foreground ongoing training

Blog Topics

Security Blog

On the Track of OSAC

Recent Comments

Insufficient information

Thankyou so much for sharing such an informative...

I just wish my mechanical lock had a...

security

Security

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.