INFORMATION SECURITY

Developing a security-first culture in a hybrid workplace

Developing a security-first culture in a hybrid workplace 1280 720 M. Laraib

Improving online security habits

Those in cybersecurity have traditionally held the role of maintaining network integrity close to the vest. However, by perpetuating a stereotype that only a select few at a company can handle that responsibility, they are doing a disservice to those of us who believe that building a security-first culture should be a company-wide initiative.

In a remote, mobile-centric world where everyone in your company is an endpoint, IT leaders must put some cybersecurity responsibility into the hands of the very people who may be the most vulnerable—their employees. We’ve all read about recent cybersecurity attacks against the Colonial Pipeline, the U.S. meat industry, EA, etc. and it proves security issues can happen in any industry. Companies with a security-first culture empower employees at every level of the organization with security tools that make employee’s lives simpler with great UX and supportive training tailored to specific remote user behaviors and skill sets.

To instill a security-first culture in any organization, we must change how we think about security in a corporate sense and influence how every employee implements security in their daily work environment (wherever that may be). Business leaders and IT leaders need to take a step back, acknowledge four distinct improvements to make in their cybersecurity landscape, and take tangible steps to respond accordingly.

1. Recognize that cybersecurity is as much about the people, as it is about technology

The vulnerability among remote users isn’t just malevolent foreign actors or high-tech network hacking schemes; it is human nature. When more than 1 in 3 remote workers admit they feel overwhelmed by the need to keep track of all their account credentials, it is easy to see how apathy, short attention spans, and bad cyber habits are the true adversary of a secure network.

If you’re an IT administrator, you likely need to shift some of your focus (and resources) away from protecting your endpoints and infrastructure with technology and invest in ways to change employee behavior, mindset, and security habits.

Communication is a huge factor in accomplishing this goal, and it needs to begin as early as your onboarding process. IT leaders should proactively partner with HR and/or Training to help instill good security habits before any employee ever logs into a network. Employees want to do the right things when given proper training and motivation.

Many organizations are gamifying their security training and rewarding those who demonstrate a security-centric attitude. This creates the opportunity to encourage and support those with poor scores and reward individuals or teams with good security habits. With regular updates, you can demonstrate progress toward implementing both individual and corporate security goals. When employees recognize that you are making security a priority, it is easier for them to do so.

2. Recognize the changing face of remote users and treat each one accordingly

While there is a significant increase in the number of employees working remotely, there is also a dramatic change in the skills and attitude of remote workers. In addition to the traditional power users (executives, road-warriors, IT, etc.) our research indicates that there are three other common remote user types that IT teams must identify, accommodate, and motivate to implement a true security-first culture.

The Desensitized User This largest group of remote users is dangerous not because they are incompetent but because they have grown too comfortable online. When faced with security challenges like remembering multiple credentials, they take the easy way out and use insecure passwords or simply reuse old ones.

To reach the Desensitized User, it is critical that you show them you are focused on solving their frustration and making their lives simpler. Don’t just give your bad-credential users a password manager and a user manual. Spend time in training to demonstrate how it streamlines their processes, stress the benefits of efficiency, and reinforce the messaging by reminding them that they play an essential role in cybersecurity for the whole company.

The Above it All User These are the power users that IT has traditionally focused on.

While they may be cyber-rockstars, you still need to introduce user-friendly security tools. A good way to counter potential objections is to remind The Above it All User that taking a security-first position is the only way to truly maintain the fluid boundaries of work and home life that they have become accustomed to.

The Out of Touch User These users are the opposite of your power users. They have relatively low tech-IQ and, if not for the pandemic, would not likely work remotely. They regularly leave their devices unlocked and are the type to have their passwords on a sticky note.

To motivate change among Out of Touch Users, you need to instill a sense of responsibility. There are countless real-world examples you can point to of how massive organizations have been brought down simply because one person was careless or “out of touch.”

But you can’t just scare them into compliance; you also need to recognize their limitations. So choose security tools with short learning curves, and provide ample and frequent training and support to remind them what they should be doing without calling out their lack of tech acumen.

The On Top of It User Your On Top of It Users rely on technology to help them accomplish their goals. Unfortunately, this need-it-now attitude often means they choose efficiency over security.

In-depth training isn’t as critical for the On Top of It User. They need to see that you understand their Type-A needs and that you have sought out tools that have seamless UX and won’t slow them down when using the platforms they depend on to succeed. IT staff, policy, and tools need to be seen as shortcuts rather than roadblocks.

3. Understand that a hybrid workspace requires more flexibility than a traditional work environment

As many as 42% of the U.S. labor force was working from home full-time during the pandemic. And that number isn’t changing anytime soon. Perhaps the scariest aspect of this phenomenon from a security perspective is the co-mingling of company-managed and personal devices.

Many companies were just coming to grips with implementing BYOD policies that allowed employees to bring their personal technology into the office. Now they are being thrust into an even more uncomfortable position of accommodating remote workers with unsecured home devices and networks. While a rigid stance made sense for BYOD, the new hybrid workspace will require a softer, more collaborative approach.

This means that IT needs to take the position that every device, browser, operating system, or network will become part of your corporate security profile. Therefore, you need security products that work consistently across all devices. The hybrid workspace requires more emphasis and investment into Identity and Access Management (IAM) tools, password training and management tools, and security first protocols to help simplify the security process for employees without intervening in their personal lives.

Employees need to see IT in the role of a facilitator rather than a gatekeeper by providing tools and support that make it easier for employees to do their job remotely.

4. Provide people with tools that make their lives easier, and they will utilize them

In even the best-built corporate cultures, there is a tendency to backslide into a comfort zone. We know that, left to their own devices (no pun intended), remote employees are prone to taking shortcuts that are not representative of a security-first culture.

Developing a security-first culture means achieving a better blend between technology and humanity, which ultimately requires tools that align employees’ beliefs about security with their online behaviors.

There are a few specific factors that IT teams must take into consideration when evaluating any security tool and IT leaders can apply those same concepts before implementing any new security product.

It must have a simple user interface. Security for all employees means being able to accommodate the lowest-common-denominator in technology experience and skill set. Tools with a simple and elegant user interface will be seen as easy by low-tech workers and streamlined for your power users.

It must easily integrate with a variety of personal technology products. Your employees likely didn’t consult corporate before making their at-home technology purchase. Security technology that works seamlessly with their home devices and networks will have a significantly better chance of broad-based adoption than those that do not.

It must provide a user experience that improves employee workflow. Adapting to remote work is challenging; security tools must help streamline employee’s workflow and make users’ lives easier during these difficult times. Endpoint security software automatically patches and installs updates on employees’ personal and business devices while a password manager eliminates the need to remember multiple credentials. These tools require less effort and deliver better performance.

Empowering people to be part of the solution

To instill a company-wide security-first culture, organizations must think of security as a human challenge, recognize the changing face of their remote user base, learn from the critical lessons taught by our collective COVID-19 experience, and strike a balance between securing their business interest and improving their employee’s workflow.

Successful organizations will ultimately thrive in the new hybrid environment because they will pivot how they think about cybersecurity. By seeking both advanced technology and human-centered solutions to security challenges, they will provide a simple and seamless user experience and empower employees to do their jobs wherever they are most productive and have peace of mind that their information and online identity is secure.

Newly-registered domain name tracking made easier with DomainTools’ new feed

Newly-registered domain name tracking made easier with DomainTools’ new feed 2560 1440 M. Laraib

The feed also monitors newly observed domains too

Domain name and DNS-based cyber threat intelligence DomainTools has launched a new service that tracks all newly-registered and newly observed domains identified by its globe-spanning detection network.

Named Domain Discovery Feed, the real-time list produces daily information in the form of a running feed and lists all new domain details.

The Domain Discovery Feed is designed in text file format for the observed domain names.

Domain feed 

Dan Fernandez, Senior Product Manager at DomainTools offered more details on the launch of the Domain Discovery Feed, saying: “With nearly 20 years of experience gathering, processing, and provisioning domain-related data, DomainTools has built unmatched capabilities for detecting the presence of new domains, as well as changes to existing ones, making Domain Discovery Feed the most accurate and complete industry feed for harnessing new domain intelligence.”

Fernandez added that the new IP Risk products, IP Hotlist and Hosting IP Risk Feed, are unlike traditional IP reputation lists as they use predictive assessments based on DomainTools Domain Risk Score to predict how likely a given domain is to be malicious, even before the domain has been weaponized.

This is so that those in need of the information will have the ability to pinpoint and characterize some of the most dangerous infrastructure on the Internet.

In the same breath, the company announced a new line of IP Risk products to identify potentially dangerous infrastructure based on hosted domains. 

This brings the total number of feeds DomainTools offers to three, the second and the third being IP Hotlist – designed to track the risky population of hosting IP addresses and Hosting IP Risk Feed – a daily feed of all IP addresses found to be hosting at least one domain.

The IP Hotlist, created daily, offers tracking of IP addresses on the Internet that have had traffic to malicious domains while the Hosting IP Risk Feed contains all IPv4 addresses hosting at least one domain.

Prevention is Better Than Cure: The Ransomware Evolution

Prevention is Better Than Cure: The Ransomware Evolution 700 450 M. Laraib

Ransomware tactics have continued to evolve over the years, and remain a prominent threat to both SMBs and larger organisations. Particularly during the peak of COVID-19, research by IBM found that ransomware incidents ‘exploded’ in June 2020, which saw twice as many ransomware attacks as the month prior, taking advantage of remote workers being away from the help of IT teams. The same research found that demands by cyber attackers are also increasing to as much as £31 million, which for businesses of any size, is detrimental for survival.

In recent months, ransomware attacks have not left the mainstream media headlines. And with the number and frequency of ransomware attacks increasing, not to mention the innovation in distribution methods, this should be a wake up call for organisations to strengthen their defences. Jack Garnsey, Product Manager Security Awareness Training and SafeSend, VIPRE explains that by taking a preventative approach, businesses can take the necessary steps to strengthen their cybersecurity posture. This includes a combination of education, processes, hardware and software to detect, combat and recover from such attacks if they were to arise. 

Ransomware in the 21st Century

Ransomware is not a new phenomenon, but its use has grown exponentially, and has led to the development of the term ‘Ransomware as a Service’ (RaaS), which is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute attacks.

As ransomware incidents become more sophisticated and frequent, such as the increase in fileless attacks which exploit tools and features that are already available in the victim’s environment, the level of potential damage to a business is heightened. These types of attacks can be used in combination with social engineering targeting, such as phishing emails, without having to rely on file-based payloads. And unfortunately, ransomware is extremely difficult to prevent – all it takes is one employee clicking on the wrong link in an email or downloading a malicious attachment. 

No matter the size of an organisation, the effects of ransomware can be devastating financially, as well as inflicting longer-term damage to business reputation. The Irish Department of Health and Health Service Executive (HSE) were recently attacked by The Conti ransomware group, who reportedly asked the Health Service for $20 million (£14 million) to restore access. This attack caused substantial cancellations to outpatient services, part of a system already stretched to the max due to COVID-19. Some ransomware gangs operate by a flimsy code of “ethics”, stating they don’t intend to endanger lives, but even if a minority of ransomware organisations are developing a sense of conscience, businesses are not exempt from the damage that can be done from such attacks. 

Additionally, in the US, Colonial Pipeline paid the cyber-criminal group DarkSide nearly $5m (£3.6m) in ransom, following a cyber-attack which took its service down for five days, causing supplies to tighten across the US. Unfortunately when under attack, a majority of businesses, such as the major pipeline, often pay the ransom. Luckily for Colonial Pipeline, some of the money was later recovered by the American Department Of Justice’s Ransomware and Digital Extortion Task Force. But if they pay once – they will pay multiple times. A successful ransomware attack can be used various times against many organisations, turning an attack into a cash cow for criminal organisations offering Ransomware as a Service. So much so, that there is now an ongoing debate around whether it should be illegal for businesses or an individual to pay a ransom in order to try and deter the attackers, or at the minimum, to at least report it to the necessary regulators. 

Contain and Report It

If a ransomware attack were to take place, it is important that the organisation works with local authorities to try to rectify the issue and follow the guidance. Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies. 

Prevention is always better than cure, and damage limitation and containment are important right from the outset. As the United States’ President, Joe Biden, highlighted in his recent letter to business leaders around ransomware: “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively.” 

Most organisations should have a detailed disaster recovery plan in place and if they don’t, they should rectify this immediately. The key to every disaster recovery plan is backups. Once the breach has been contained, businesses can get back up and running quickly and relatively easily, allowing for maximum business continuity. 

As soon as the main threat has passed, it is recommended that all organisations conduct a full retrospective audit, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful – not only for customer, client or patient reassurances, but also for other organisations to understand how they can prevent an attack of this type being successful again. 

The Support of Digital Tools

When it comes to ransomware, the importance of getting security foundations right must be emphasised. These attacks are not likely to stop or slow any time soon, but their success can be prevented with the right security armoury. 

Particularly to mitigate the threat of ransomware, it is crucial to have secure endpoint protection in place which protects at the file, application and network layer across a number of devices, and respond to security alerts in real-time. This has never been more important than during the ongoing pandemic, where employees are dispersed and working from home in order to ensure all devices are protected and comply to the same standards. 

Additionally, solutions such as email attachment and URL sandboxing are also vital, as these digital tools provide vital protection against malicious emails. They can help prevent dangerous links, attachments or forms of malware from entering the users inbox by examining and quarantining them. By filtering out this traffic and automatically restricting dangerous content, businesses can maintain greater control over email and the access points to the network.

The Human Layer

The users themselves are a key part of any security strategy. Those who are educated about the types of threats they could be vulnerable to, how to spot them and the steps to take in the event of a suspected breach, are a valuable and critical asset to any organisation.

Employees need to be trained to be vigilant, cautious, suspicious and assume their role as the last line of defence when all else fails. The final decision to click send on an email or a link lies with the human, but this one click could mean the entire organisation falls prey to a ransomware attack. The key is to change the mindset from full reliance on IT, to one where everyone is responsible. In order to strengthen a business’ human layer protection, security awareness training and education must be implemented across the board.

These programmes are designed to support users in understanding the role they play in helping to combat attacks and malware. Using phishing simulations, for example, as part of the wider security strategy, will help to give employees insight into real life situations they may face at any point. The importance of testing your human firewall was also outlined in Joe Biden’s ransomware letter: “Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Conclusion 

Cyber security is a multi-faceted, complicated area, and one which must receive investment in each layer, from the technology to the people, to the tools we give to the users. Nevertheless, businesses of all sizes can safeguard their data and themselves from these types of ransomware attacks by investing in their cybersecurity and ensuring their workforces are conscious and informed of the threats they face. 

Both detection and prevention play a key role in stopping ransomware, but it shouldn’t be one or the other. The essence of a solid cybersecurity strategy is a layered defence that includes endpoint detection and response, email security, advanced threat protection, web security and a business-grade firewall for the security of your network – at its most basic. But even with the most sophisticated software in place, hackers make it their mission to stay one step ahead of IT defences. That is why regular training, in addition to complementary security tools which reinforce security best practice, can provide a fortified strategy for users to mitigate the threat of a cyberattack.

Unsecured cloud database leaked personal information of over 100m US citizens

Unsecured cloud database leaked personal information of over 100m US citizens 1280 720 M. Laraib

Leaks such as these are easily avoidable, suggest researchers

An upcoming B2B sales and marketing company leaked personally identifiable information (PII) of up to 126 million US citizens, according to cybersecurity researchers.

Researchers at vpnMentor discovered an unsecured database on Amazon’s cloud computing platform AWS, which they traced back to the US-based marketing company OneMoreLead.

vpnMentor argues that the information in the database, which included email addresses, home address, and phone numbers, and more could easily have been used to perpetrate identity theft, financial fraud, or be used to devise effective phishing campaigns. 

Furthermore, the database also contained job titles, name of the employer, and work contact details of the individuals, which vpnMentor believes could be used to conduct business email compromise scams. 

Mysterious origins

While OneMoreLead were quick to protect the database once alerted, vpnMentor has also raised questions about the origins of the data.

According to vpnMentor’s report, OneMoreLead claims to have over 40 million clients, although it doesn’t list them on its website. Furthermore, vpnMentor says the company started in 2020 and it’s “unlikely they collected data from 126 million people since opening in 2020.”

Interestingly, vpnMentor says that the exposed data bears an uncanny resemblance to a leak originally linked to German B2B marketing company Leadhunter in 2020, who, back then, had denied ownership of the leaked data.

In any case, the researchers suggest that such leaks from unprotected databases are becoming more common. 

“However, any leak like this could be easily avoided with some basic security measures taken including securing servers, implementing proper access rules, and never leaving a system that doesn’t require authentication open to the internet,” suggest vpnMentor researchers, Noam Rotem and Ran Locar.

There’s yet another new PrintNightmare hack

There’s yet another new PrintNightmare hack 2560 1536 M. Laraib

Nightmare indeed – so patch now

The PrintNightmare vulnerability is living up to its name with another cybersecurity researcher exploiting the bug in a privilege escalation attack.

PrintNightmare created havoc when it was accidentally disclosed by Chinese security researchers who put out a proof-of-concept exploit thinking the vulnerability in Windows Print Spooler had already been patched by Microsoft, which pushed the company to put out a new patch to address the remote code exploitation (RCE) vulnerability as well.

Now, Benjamin Delpy, creator of popular post exploitation tool Mimikatz, has found a way to exploit the vulnerability in the Windows Print Spooler to enable any user to gain admin privileges on a vulnerable computer.

According to reports, Delpy’s workaround takes advantage of the fact that Windows doesn’t prevent Limited users from installing printer drivers. Furthermore, it won’t complain when these drivers are fetched from remote print servers, and will then run them with the System privilege level. 

No end to the abuse

After issuing an out-of-band update, Microsoft also included the PrintNightmare patch in its July Patch Tuesday.

Notably, a section of security researchers, including Delpy, had raised concerns about the patch arguing that it’s how Microsoft checks for remote libraries in the PrintNightmare patch that offers an opportunity to work around the patch.

In a tweet, Delpy mentioned that PrintNightmare has taught him “a lot about printer spooler & drivers (even how to build and sign them).”

He’s put all his learnings into action by demonstrating a proof-of-concept (PoC) that downloads a rogue driver that misuses the latitude it’s given by Windows to eventually fire up a system prompt even for a user with a limited access account. 

Speaking to Bleeping Computer, Delpy shared that we haven’t seen the last of Windows print spooler abuse, pointing to a couple of upcoming sessions at DefCon and Black Hat conferences that will share new shortcomings and exploits.

University of South Australia creates top security role

University of South Australia creates top security role 1134 675 M. Laraib

In an attempt to boost its cybersecurity posture, the University of South Australia (UniSA) has created, and is recruiting for, its first ever chief information security officer (CISO) role.

The university is actively recruiting for the position.

The move comes after UniSA experienced a cyberattack in May of this year, causing the school to disable computer access and access to a number of systems, including staff email and remote access.

The Chief Information Officer at UniSA told local news that the creation of the new role is not in response to the previous cyber incident, but is in reponse to increased threats regarding cybersecurity since the COVID-19 pandemic began.

Maybe don’t use browsers to store your passwords

Maybe don’t use browsers to store your passwords 2560 1340 M. Laraib

Employees continue to engage in risky behavior despite the risks

In addition to practicing poor password hygiene, relying on password managers built into the web browser was another security faux pas highlighted by a recent survey.

Commissioned by access management vendor ThycoticCentrify, the survey noted that more than a third (35%) of the respondents admitted to relying on their web browser to store credentials on their personal and work devices.

“By cracking only one of those devices, an attacker can easily access all the passwords stored within the user’s browser. This makes it so much easier for an attacker to elevate privileges without being detected and gain access to the user’s email, company cloud applications, or even sensitive data,” pointed out Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.

Carson argued that even if a personal device is compromised, the attacker can use the authentication information stored in its web browser to analyze the user’s password habits and create all possible combinations of a password using cracking tools to eventually gain access to their well-protected corporate applications and system. 

Knowledgeable ignorance

The survey covered over 8000 knowledge workers from over a dozen countries, to get a handle on risky employee activities.

The research revealed that more than half (55%) of the respondents don’t mind connecting to a mobile hotspot even in a work-based scenario, while 32% have no qualms about connecting to public WiFi networks.

Furthermore, while 23% of the respondents have used personal devices inside their corporate network, 34% admitted to sending work documents to a personal computer.

Surprisingly an overwhelming majority (79%) chose to engage in risky behavior despite knowing the security implications of their actions. 

“When faced with a choice between productivity and cyber security employees will take the easy path and this mostly means sacrificing security,” concludes the research suggesting that businesses must strike a balance between people and technology to properly protect themselves from cyber threats.

The Google Play Store may need a serious security upgrade

The Google Play Store may need a serious security upgrade 2560 1440 M. Laraib

Google’s protection mechanism comes dead last in test of 15 security apps

Google’s Play Protect security service has fared poorly in an endurance test of Android security apps.

With the number of malware-laden malicious apps on the rise, AV-Test pitted 15 security apps to rate their ability to fend off such dubious apps.

“Included in the test as the 15th app in the mix was Google Play Protect, the protection app embedded in Android….But the endurance test revealed that this service does not provide particularly good security: every other security app offers better protection than Google Play Protect,” says AV-Test.

Besides Google Play Protect, the test included the apps from AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, G DATA, Ikarus, Kaspersky, McAfee, NortonLifeLock, Protected.net, securiON and Trend Micro.

Subpar performance

AV-Test put the 15 apps through an endurance test that lasted six months. They were evaluated in terms of protection, performance and usability, with six points for each category, for a total of 18 points.

Over half (9) of the apps managed to score a perfect score of 18, while four scored between 17.8 to 17.1, and one scored 16. Google Play Protect not just brought up the rear, but its measly score of six was a far cry from its peers.

It didn’t fare any better in terms of detecting infected apps. While a handful of apps managed to flag all of the 20,000 tainted apps for a score of 100%, Google Play Protect was once again last with a detection score of 68.8%.

Google Play Protect’s poor showing perhaps explains how threat actors are repeatedly able to inject malware laden apps into Google Play.

Meanwhile, Google continues to improve its privacy protection measures. Following its announcement to introduce Apple app store-like privacy labels, the makers of Android shared additional details about the upcoming safety section in Google Play.

Hackers have found yet another way to attack Kubernetes clusters

Hackers have found yet another way to attack Kubernetes clusters 1280 720 M. Laraib

Double-check the configuration of your cloud containers, security experts warn

Cybersecurity researchers have detailed a new attack vector that drops cryptomining malware in Kubernetes clusters by exploiting misconfigured Argo Workflows instances.

Argo Workflows is an open source workflow engine for Kubernetes that simplifies the process of orchestrating parallel jobs on Kubernetes clusters.

Researchers from Intezer found hundreds of Argo Workflows instances with misconfigured permissions, and observed many being abused by malicious threat actors.

“We have identified infected nodes and there is the potential for larger scale attacks due to hundreds of misconfigured deployments. We have detected exposed instances of Argo Workflows that belong to companies from different sectors including technology, finance and logistics,” note Intezer’s Ryan Robinson and Nicole Fishbein in a joint blog post.

Improperly configured

The researchers argue that even products like Argo Workflows that are designed to reduce deployment complexity, can be turned into a source for exploitation if not configured properly. 

While hunting for such misconfigured instances, the researchers found several that were either unprotected or had liberal permission settings that would allow any user to deploy workflows. 

In one cluster, we noticed that a popular cryptocurrency mining container, kannix/monero-miner, which used XMRig to mine for Monero cryptocurrency, was being deployed.

As a side note, the researchers note that while the kannix/monero-miner has since been removed from Docker Hub, the popular Docker repository still lists at least 45 other cryptomining containers that have clocked millions of downloads.

What do developers want and need from secure coding training?

What do developers want and need from secure coding training? 2000 1150 M. Laraib

Secure code training priorities

Cybersecurity is increasingly becoming integrated into software development initiatives. As part of this, application security (AppSec) specialists often work closely with software development teams to improve security within the applications they create. However, there is still confusion about the role developers play in software security, and whether responsibility for it should rest solely on their shoulders.

The best way for companies to avoid confusion and address secure coding practices head on is to acknowledge inconsistencies exist, and from there, apply a modern approach to developer AppSec awareness and training across the board. Here’s how.

Understanding the developer perspective

The vast majority of developers today want to create more-secure code. In fact, recent research found that when developers were asked about the skills they prioritized learning or improving most during the pandemic, the top response was AppSec / secure coding (46%). Whether due to competitiveness amongst peers, a heightened sense of responsibility, or even a personal desire for perfection, they readily acknowledge security training is imperative to the work they do. However, it isn’t something they often let impact their primary objective – to develop and deliver feature-packed software at speed – which is where issues emerge.

The vast majority of today’s developers is measured by the speed of delivering workable code, not by the amount of security vulnerabilities contained within it. This means that, although they’re aware of the need to deliver bug-free code, with most putting effort in to do just that, cumbersome secure coding education solutions which slow developers down and aren’t deemed necessary to daily duties. Some likely even consider them a nuisance.

To ensure the delivery of secure code, team leaders must begin treating security vulnerabilities as seriously as they do coding bugs. This will establish the importance of secure coding among teams, allowing organizations to then implement a programmatic approach to AppSec awareness and training.

Training in practice

Video tutorials, lectures, slide decks, periodic classroom training, and mandatory online courses are all standard approaches to AppSec training, yet they often fail to actually help, or retain the attention of, developers. That’s because these approaches are generally treated as boxes that need to be checked on a to-do list, and not as vitally important tools for securing an application.

Training and development to change this mindset needs to be easily accessible, relevant, and immediately actionable, instead of just a means of delivering information to instill knowledge. Learning occurs best when training is targeted to a specific set of behaviors or skills and is delivered in a real-time context relevant to the learner. Businesses must do better here to ensure delivery is in a style that best suits developers and the various ways they enjoy absorbing information.

Effective AppSec awareness and training programs should also harness all of the benefits modern technology afford us. Much in the same way an engaging mobile app can influence the behavior of users, the foundation for efficient secure coding practices can be rooted in gaming principles and technology-driven traits that keep users engaged long-term.

Organizations looking to exploit this should use stories and examples. This enables participants to feel directly and emotionally involved with the content, improving retention. This level of interactivity might also result in developers paying more attention, yielding a higher chance of learning and retaining information – important when considering many people learn more effectively by doing and experiencing, rather than just by hearing or seeing.

Finally, using short content, which is precise and to the point, eliminates irrelevant information, and increases the likelihood of engagement. Given time is a precious resource for developers, the briefer the better.

Periodic assessments

It’s vital that an organization’s AppSec awareness metrics are always on the rise too. After all, what’s the point of investing in awareness and training solutions if they don’t reduce software security risks? To ensure this is the case, organizations need to closely monitor the progress of development teams. Continuous improvement is the desired result, and to achieve this, organizations need to periodically assess the current state of their developers’ security mindset.

An easy way to measure secure coding skills is to use assessments that take 10-15 minutes to complete and can be assigned to individuals or teams. These can be used to establish a clear baseline allowing organizations to see the impact of training over time, identify knowledge gaps and nurture those who require more training. A key goal of assessments is to determine if developers need more training, identify areas of weakness, measure and report on improvements, and finally, reduce repetitive coding errors.

Taking responsibility

The stark reality is that despite most organizations wanting to increase security awareness amongst their employees, many don’t know where to begin. With AppSec ownership continuing its gradual shift from IT to DevOps, securing the development pipeline is a skill developers must learn.

Moreover, the same survey as referenced before discovered that over half (55%) of developers had taken on ‘somewhat’ or ‘significantly more’ application security responsibility over the past year. This makes it even more important for businesses to ensure developers are being supported with necessary training. Doing so will drive true change in the way developers and DevOps teams think about security.

Final thoughts

By following these recommendations and ensuring developers receive the appropriate AppSec training both as a priority and in a way in which they can truly engage and learn, organizations can stay one step ahead of constantly evolving threat actors, and ensure that more secure software applications are being released.