The Developers’ Skills Gap for Secure DevOps
In today’s application economy, we’re seeing ever-greater demand on software development. Software and applications have risen to the front office, where missed deadlines result in lost revenues and poor functionality can lead to lost customers. Increasingly, businesses are embracing DevOps to feed their need for speed, binding the previous separate developer and operations teams.
At the same time, the constant stream of news around vulnerable software and application-related data breaches is giving weight to DevSecOps, which integrates security into the development and testing of software for faster, better quality and more secure outcomes.
Traditionally it was the developer’s job to ensure that code was functional. This practice was reinforced by the previous divide between the development, operations and security teams – as long as the application was delivered on time and it worked, then their job was done. It was then down to the security team to ensure it was secure and for the operations team to keep the lights on.
Yet the shift towards DevOps has meant that developers are now having to take a more active role in both assuring the quality and security of their code. This is creating fresh challenges for developers, for whom the security of the code was at best an afterthought.
The shortcomings of formal education
The shift to DevOps – and increasingly DevSecOps – has highlighted how today’s formal education for IT and development professionals has not evolved in line with enterprise practices. A recent survey, commissioned by Veracode and DevOps.com, found that, while 65% of DevOps professionals state that it is very important to have knowledge of DevOps when entering into IT, three quarters of respondents indicated that they aren’t receiving the necessary training during formal education that will enable them to be successful in DevSecOps.
Many university computer science courses are not currently able to provide practical guidance on how to mitigate security flaws in code – a crucial component of the new DevSecOps developer’s role. While nearly 80% of our respondents hold either a bachelor or master’s degree, 70% stated that their security education does not meet their current position’s requirements.
While there is a question as to whether universities ought to introduce more practical learning into their courses, as well as the current theoretical focus, in the short term another solution is required.
Until we start to see formal education putting a greater emphasis on teaching developers and software engineers how to build more secure code, it will be down to those organizations adopting DevOps to up skill their developers in identifying and mitigating vulnerable code.
Upskilling your development team
My own personal experience in managing development teams to resolve this security skills gap has shown that there’s no quick fix. Beyond any technical training requirements, development team managers understand that making security a priority within the existing culture is perhaps the greatest hurdle.
So, what can development team managers introduce to upskill their developers in securing coding and avoid a culture backlash? Here are the three approaches I’ve found to be most effective.
Third party training
Either in the classroom or through eLearning, third-party training was identified by a third of respondents as the most effective way to gain new skills. Unfortunately, just four per cent of those we surveyed had been afforded the opportunity.
Classroom training is undoubtedly expensive, so many organizations opt for eLearning, but it’s important that those organizations that do make this investment put in processes that will ensure a minimum ROI.
For skills as crucial as secure coding, organizations should introduce mandatory courses for new employees to set a minimum ability across the team. Setting annual goals will also ensure that people are taking certain courses.
Integrate static scanning into DevOps pipeline
The best way to ensure that developers are creating secure code as they work is to provide them with constant feedback on what they’re writing – just as the Microsoft Word’s red squiggle has been helping us avoid typos for more than a decade.
Integrating static scanning into the DevOps pipeline can provide that constant feedback to ensure developers can remediate vulnerable coding as they go, rather than creating long security reports upon completion of vulnerabilities that they must go back and resolve. Not only does this help developers spot mistakes and fix them as they go, but it also helps avoid any development manager having to decide whether to miss a deadline or push out an insecure application or update.
Create security champions
Not every developer needs to be a security expert. However, they do need access to a person who has security knowledge and an affinity with how developers work. A small team of security experts can leverage their skills by training certain developers on the fundamentals of secure coding, creating security champions to bring security awareness to the entire team.
In this model the team turns to their security champion for routine secure design and coding advice. Security champions can help ensure their scrum teams prioritize security in the software development life cycle (SDLC), as well as supporting on particularly difficult security issues. Security champions ensure that no vulnerability goes unremediated through a lack of skills, and that developers receive security advice from peers who speak their language and are sympathetic to their challenges.
Time to act
As more organizations adopt DevOps and DevSecOps practices, traditional security processes will be deemed unfit for purpose. There is no question that with the threat of cybercriminal exploiting vulnerable applications and software, organizations need to act now to upskill their developers to meet the new requirements set by this shift in development practices. No matter what approach to security upskilling they take, there’s no question that the need is there.
Written by: Maria Loughlin
Source: https://www.infosecurity-magazine.com