Secure coding education must foreground ongoing training

Just as doctors learn valuable lessons while in residency and treating patients alongside other doctors, software developers learn how to best recognize and remediate a vulnerability in code when faced with real-life problems.

Nowadays, web developers are expected to write 100 times more code than just 10 years ago, but developers are held to high security standards and quick go-to-market speeds.

The way secure coding is taught in universities doesn’t suffice. The cyberattacks that both users and organizations face each and every day imply that the approach to preventing vulnerabilities needs to change — and fast.

With just about everything being run by software, cyberattacks from vulnerabilities in code have come to fruition at an alarming rate. Programming is not a simple trade to teach — the field includes so much specialization with different languages and technology areas. What needs to accompany the curriculum is exposure to real-life scenarios where threat actors have been successful. After all, vulnerabilities can get very specific to a programming language and/or the platform that code runs on (i.e., webserver or database software). Thus, software developers can focus on those specific areas.

Most companies with mature development organizations already have internal training in place for new hires to ensure they know and adhere to the company’s coding standards — how to organize code, how to comment, specific syntax for things in a given programming language, etc. A lot of these coding standards are preferences, rather than strict rules that must be followed. However, ongoing training is a critical technique that must accompany these organization-specific policies. Training that incentivizes continual exposure to examples of successfully exploited vulnerabilities and how to prevent them can help software developers keep security top of mind.

Given the fact that too few developers understand coding for security, it is imperative for the industry to push for the following three improvements to ensure the advancement of initial education as well as the continuous learning aspect following graduation:

• Inject specific, real-life vulnerability training into academia.
• Create clear incentives for developers to continually learn how threat actors think and examine code.
• Obtain commitments from C-level management to embrace security culture and ensure it is embedded in the Software Development Lifecycle (SDLC).

Today’s higher education software engineering curriculum is not preparing developers to create secure applications. Students must gain experience from real-life examples, learning to think like a threat actor and how to prevent the vulnerability in the first place.

Just like doctors, they need to continuously learn new technologies and practices to ensure secure code. Patients appreciate and seek out those doctors who emphasize their ongoing training at preventing illness — and users and organizations will undoubtedly and similarly praise development teams that secure the vast quantity of software-based tools all of us use in our daily lives.