Of the top 50 U.S. undergraduate computer science programs, zero required an application or secure coding course. Only nine out of 50 even offer one or more electives in application security or secure coding, according to the IT research firm Forrester.
Security experts have long said that security needs to start with developers, and yet, it tends to remain a network conversation. That’s a problem, frankly: Companies that suffered an external breach in the previous 12 months of 2022 reported that two of the top attack methods were taking advantage of vulnerable software and direct web application attacks, according to Forrester’s Analytics Business Technographics Security Survey.
Companies need to focus on recruiting and providing developers with security training, advised Janet Worthington, a Forrester analyst.
“When you go to hire, look for people who have that skill set,” Worthington told The New Stack. “Also getting more women and underrepresented groups into cyber security is a huge need — we need to increase our cybersecurity workforce and work with groups like women in security and privacy, the WISP [Women in Security and Privacy] group, they are targeted at security.”
But because security skills are in such high demand, companies may need to reach out to external groups like local colleges for support.
“We highly recommend that organizations go out and work with their local colleges and universities, because there’s a lot that they can supply,” Worthington said. “For example, there are some application security vendors even who will run ‘capture the flag’ events or run a mini security hackathon.”
Why Developers Must Be Involved with Security
It’s important for security professionals to work with developers on application security for two reasons, Worthington and other Forrester analysts wrote in a Sept. 2022 report, “Show, Don’t Tell, Your Developers How to Write Secure Code”:
- Developers unwittingly use insecure components while creating apps. “There were 20,169 vulnerabilities published in 2021 alone according to CVE Details, up 10% from the year before — and your developers have the potential to expose your company to any number of them,” Forrester noted.
- Developers shouldn’t only rely on runtime protection tools, such as web application firewalls, API protection and runtime application self-protection (RASP). While these tools can be effective, the more they defend, the more they impact application performance, the report stated. They can even become a single point of failure, it added.
Steps Frontend Developers Can Take Now
One immediate step is to use hard quality gates, software that detects issues and stops the development workflow if there’s a security problem, Worthington said. A quality gate can also work with legacy applications, in that it can stop developers from adding new vulnerabilities, Forrester stated in its report.
“This software would act as the gate. At one time, there were people who would do the assessments, but now we’re trying, with DevSecOps, to make sure everything is automated and integrated into the software development pipeline,” Worthington explained. “We often talk about running a static analysis tool or a dynamic analysis tool as part of the development process, and there’s a lot of these tools that fit easily into [a developer’s] IDE, where they’re doing their coding.”
It’s particularly important for developers to be involved with monitoring low-code platforms, which have potential security flaws if they generate code rather than metadata, the report stated. Just as with custom code, generated code should be subject to security testing tools, Forrester noted.
“Some low-code platforms claim that the code they generate is secure and won’t expose common weaknesses such as cross-site scripting or SQL injections,” Forrester stated in its report. “However, you’ll need to verify that secure code is really being generated.”
Until the education requirements catch up with the need, developers also may need to educate themselves and put practices in place to monitor their code. For frontend developers, that includes being aware of problems like cross-site scripting and SQL injections.
“We still see those out there,” Worthington said. “If you know how to code or if you know the resources you can use, that can help you to prevent, or go back and correct those.”