would only continue to get worse before it  gets better because the benefits of insecure software far
            outweigh the negatives. In other words, within the software development lifecycle (SDLC), organizations
            prioritize being the first to market. This goal is often at odds with security, which is portrayed as a barrier
            to productivity; 71% of CISOs claim their DevOps stakeholders view security as an impediment to fast
            development. This results in sacrificing security in the name of speed to market, the negatives of which
            are often not fully recognized until it’s too late.



            The AppSec Dilemma

            This pressure to quickly create and bring products to market places immense expectations on those
            developing the software. And this is only increasing. 51% of developers deal with 100x more code than
            ten years ago. And almost all developers (92%) feel they must write code faster than before.

            The ownership of application security becomes an issue with an overstretched team, often viewed as
            someone else’s responsibility – be that AppSec, security, or IT professionals. Yet application security
            lives in a variety of places across an enterprise. Therefore, the executive team or board must buy into
            the value of secure coding training. Leaders must recognize that a security-first mindset is crucial for
            everyone within the SDLC. Product and project managers, DevOps, User Experience (UX) Designers,
            and  Quality  Assurance  (QA)  professionals  influence  the  end  result  in  software  development  and,
            therefore, will need to play a part in security. Sharing this responsibility is the first step in ensuring that
            secure coding is not forgotten.

            Moreover, innovation and security do not have to be mutually exclusive, and treating them this way is
            likely why the number of new vulnerabilities continues to increase. Although almost always accidental,
            these security flaws and lack of proper secure coding education can turn developers into non-malicious
            insider threats. This insecure code can also be extremely costly; according to Boehm’s law, “the cost of
            finding and fixing a defect grows exponentially with time.” Investing in proactive prevention rather than
            reactive mitigation is, therefore, the most efficient solution for organizations in terms of security and an
            enterprise’s bottom line.



            Continuous and programmatic education

            Shockingly, 53% of developers have no professional, secure coding training, and none of the top 50 U.S.
            undergraduate  computer  science  programs  require  a  code  or  application  security  course.  With
            workforces worldwide struggling to fill the cybersecurity skills gap, it is vital that organizations look to an
            integrated and continuous approach to application security education across the entire SDLC. This must
            be:

               (1) Specialized

            For those involved in delivering code, it is essential that training speaks directly to the issues they face
            daily.  Advanced,  developer-specific  education  should  be  run  in  parallel  with  foundational  application
            security training programs for those with roles in the SDLC that may not necessarily need hands-on
            expertise.  These  initiatives  will  empower  the  whole  team  to  make  more  informed  decisions  around




            Cyber Defense eMagazine – January 2023 Edition                                                                                                                                                                                                       125
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.