Should Developers Be Forced To Skill Up On Security?

Yuri_Arcurs/iStock

Developers are often tasked with writing software with impressive features and useful functions, but how often are they asked to consider the security aspects of their creations? At least one major Australian bank wants to turn its developers into secure coders. Here are the details.

Having IT security professionals on-hand to keep your organisation secure is great but having software that was made to be more secure from the start would save a lot of the heavy lifting. Major companies seem to have cottoned on to this fact.

Secure Code Warrior, a start-up that runs gamified courses to provide developers secure coding training, has just signed a $1 million three-year deal with one of Australia's 'big four' banks to skill up its 4000 software developers. The bank wished to remain unnamed.

Secure Code Warriors' courses are done through hands-on training exercises, teaching developers to find vulnerabilities within their code and to identify patches for the flaws, scoring points along the way. They also run mini tournaments where developers compete for the title of most secure coder.

"Ensuring that application code is written more securely in the first place can significantly reduce the effort to identify and remediate vulnerabilities once applications have been deployed," Secure Code Warrior co-founder Pieter Danhieux said.

He noted that both organisations and developers too often focus on features and functions over security.

"This can result in great functional apps built with code that has both glaring and subtle security holes," Pieter said. "Security must move from a separate team into the developers themselves, especially when using Agile methodologies.

"This is demonstrated by the DevSecOps movement which says that everyone in the development process is responsible for writing in security, not just an isolated team."

The Australian bank will put its developers through a series of Secure Code Warrior courses that will test their individual ability to write secure code. Developers will have to identify a series of vulnerabilities and analyse multiple patch options in order to pass assessments.

Should there be a concerted effort to turn developers into secure coders? Let us know in the comments.


Comments

    Smarter way is saying increment for xyz certificate for security compliance is the key to induce security thinking. In all thinking of security is demanding need as banks and most financial transactions are totally online these days.

    As a corporate developer, I think this is great and that the banks are pushing for their developers (I assume paying for the course as well) to learn to code securely will help the overall security of the apps they develop.

    As a developer, the problem I have is that there is so much to learn, and keep learning. unless it tweaks my interest (latest shiny thing), relevant for the task I'm doing at the moment (S#!t I need to make this secure - how do I go about doing it - gotta be done by tomorrow) or the company pays for the course (yeah right ) it won't get learnt.

    The other issue then becomes putting this into practice. I hope the bank developers get the time they need to get this working while the spark in each developer is still there as opposed to telling them to get on with it or leaving it too long that the spark is put out with a wet blanket.

Join the discussion!