Developers are often tasked with writing software with impressive features and useful functions, but how often are they asked to consider the security aspects of their creations? At least one major Australian bank wants to turn its developers into secure coders. Here are the details.
Having IT security professionals on-hand to keep your organisation secure is great but having software that was made to be more secure from the start would save a lot of the heavy lifting. Major companies seem to have cottoned on to this fact.
Secure Code Warrior, a start-up that runs gamified courses to provide developers secure coding training, has just signed a $1 million three-year deal with one of Australia's 'big four' banks to skill up its 4000 software developers. The bank wished to remain unnamed.
Secure Code Warriors' courses are done through hands-on training exercises, teaching developers to find vulnerabilities within their code and to identify patches for the flaws, scoring points along the way. They also run mini tournaments where developers compete for the title of most secure coder.
"Ensuring that application code is written more securely in the first place can significantly reduce the effort to identify and remediate vulnerabilities once applications have been deployed," Secure Code Warrior co-founder Pieter Danhieux said.
He noted that both organisations and developers too often focus on features and functions over security.
"This can result in great functional apps built with code that has both glaring and subtle security holes," Pieter said. "Security must move from a separate team into the developers themselves, especially when using Agile methodologies.
"This is demonstrated by the DevSecOps movement which says that everyone in the development process is responsible for writing in security, not just an isolated team."
The Australian bank will put its developers through a series of Secure Code Warrior courses that will test their individual ability to write secure code. Developers will have to identify a series of vulnerabilities and analyse multiple patch options in order to pass assessments.
Should there be a concerted effort to turn developers into secure coders? Let us know in the comments.