Peanut butter and jelly; cookies and milk; DevOps and Security Training… yes, these are actually all things that should go together. While most people understand the first two food references, only those of us in cybersecurity should understand the third. As more press daily herald yet another security breach, it stands to reason that our development practices while may be becoming more agile, they still leave open vulnerabilities exploited by attackers.
DevSec Training Challenges Evolve
It is actually a well know secret that most developers lack specific training, documented management guidance of security imperatives or even the time necessary to keep up with the latest security best practices. As more companies adopt agile development methodologies, such as with DevOps, they tend to miss adequately considering security or integrating security into the cycle. A TechBeacon article titled “Devs still struggle with app sec: 3 ways to get your team up to speed” provides specific impact costs:
“The security features of web application frameworks are fairly complex, and correctly using code to implement security in an application is often difficult. No wonder, then, that 94% of applications tested in 2018 contained a vulnerability in a security feature, according to Micro Focus Software Security Research's 2019 Application Security Risk Report.
It's a critical—and unfortunately, persistent—problem. In 2017, almost the exact same percentage of applications—93%—had a vulnerability caused by the incorrect use of a security feature or defects in security functions.”
This then begs the question of where the intersection of DevOps and security come into play? Or at a minimum where security training plays a role in DevOps daily expectations?
Security Training And DevOps
You most likely understand that great security training can eliminate coding vulnerabilities before they are exploited by cyber criminals causing your firm to lose productivity, profit or even brand reputation. What you may not realize is that this sometimes sets the stage for a battle of wills between departments with an organization.
This battle of wills stems from the obvious question of who is ultimately responsible for the security of in-house developed code: the development team or the security team? According to Daniel Newman in his Forbes article titled “5 Reasons DevOps And Security Need To Work Together” these are the items you should consider, but with a variation on why you should implement training for a DevSecOps role:
- DevOps and Security Together Should Be a Priority for Every Team: This seems like a no brainer except for the fact that 68% of professionals demand that business doesn’t slow down and that means that some priorities fall off the table. Unfortunately, cross department communications tend to be one of the first victims. The introduction of DevSecOps ensures security stays a priority and ongoing training will ensure they stay current.
- Security Should Be Tracked the Same as DevOps: All too often, security can fall by the wayside during the development process in the drive to deliver code on time. By tracking security alongside all other business critical process, you will keep it fresh, up to date and always present. Your DevSecOps will provide the necessary oversite and reporting required.
- Applications Should Be Secured: Application are always tested for functionality to ensure everything works as planned, but what about testing for what can possibly go wrong? According to TechBeacon 92% of web applications have security flaws or weaknesses that can be exploited. This is where your DevSecOps along with the right AppSec testing tools will save the day.
- Code Should Be Secured: While may developers got a degree in computer science, every real coder learned their craft by writing countless lines of code. They know the syntax of a given language and the semantics of turning a spec into a working code snippet or program. Unfortunately, statistics have shown at 44% of developers can not code securely.
- Security Should Be in Every Stage of the Deployment Pipeline: Security may not be a sexy topic, but today’s agile development-driven environment is at the core of digital transformation and security deserves a place at its side. DevSecOps ensures that security has a place at all stages from design to development to testing to deployment and ongoing maintenance.
Bottomline is that every organization with an in-house development team should also have training specific to the security needs of that team. They will also need ongoing training and tools to ensure success.
DevSec Mentoring Made Easy
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
nVisium’s DevSec Mentor training platform was created to replace outdated teaching methods such as CBTs (Computer-Based Training) by providing an in-depth and engaging online training experience. Our training focuses on how application security vulnerabilities manifest and requires participants to find and remediate high risk code in order to progress in a game-like setting.
One of the more difficult issues with training is demonstrating the real-world impact of a specific vulnerability. nVisium uses games to teach developers and information security professionals to think like hackers by launching real-world attacks against applications and seeing the impact of these attacks as they land against other teams in the event. Depending on the style of game requested, defensive players may then implement fixes, and watch attacks fail in real time.
Now is the time to train your developers with the latest security tips and techniques to ensure their skills are up to standards in a post-COVID-19 world. Schedule a demo today, or download our new eBook titled “Demystifying DevSecOps” to get started yourself.