Insecure code is the problem few want to speak about. The impact of insecure coding practices is widespread and disastrous. It can result in a massive product recall, millions in lost revenue, the loss of sensitive customer data, and a headline in the Wall Street Journal.
Developing secure software and related secure coding practices is now even more critical to a company’s reputation and bottom line than ever before.
We built our team with this problem front of mind, but even then we were shocked by how bad the problem really was. When trying to recruit software developers at LMNTRIX, we tested over 160 candidates using 12 basic secure coding challenges such as locating and identifying a solution for Cross-Site Scripting, Injection Flaws and Authentication. All developers had between 6-14 years’ experience and each one was given 2hrs to complete and access to Google. With candidates scoring 10%-30% - the result was astonishing to say the least!
Finding good developers is challenging and finding ones who can code securely is an impossibility for most industries as the ubiquity of software takes hold of everything from IoTs, automobiles to financial trading applications and healthcare.
This trend is in hypergrowth. We cannot see a slowdown in the foreseeable future as software is disrupting and taking over many industries as we’ve seen with companies like Uber and Airbnb that are nothing more than software combined with a great user experiences.
Most companies are faced with having to maintain software quality and security while accelerating innovation. Companies with institutionalized, standard code development processes need new ways to further reduce overall program risk as the old method of testing software at the end of the development cycle is clearly not working.
To more effectively address security, companies need to adopt secure development lifecycle initiatives where security deliverables are inserted in all phases of development. This will result in fewer security incidents, faster time to remediate and earlier visibility into areas of risk.
The bottom line is that there will always be a need for companies like LMNTRIX for as long as insecure coding practices are prevalent with vendors and companies alike, we can only expect an increase in the number of vulnerabilities to be exploited by adversaries .
And even if these practices are addressed, even if Al magically comes along to patch all the insecure code, it won't be able to patch all the insecure people. The other weak link will always be the human factor. Case in point: Recently Carlo's own mom opened a phishing email for the second time and he had to quarantine and rebuild her computer again.
It didn't matter how many times Carlo had warned her about opening suspicious emails, she still did it. Mom! The truth is that Carlo's Mom isn't alone. People Like her work across most organizations. They are smart and good at what they do, but are impossible to train when it comes to cybesecurity. Continuous User Awareness Training does some good, but it will never be enough.
It is clear organizations need to make a mental shift that sees them embrace a more dynamic approach to security that turns the battle in their favor. They need to think differently about how to detect and respond to threats.