Hot Topics
Application Security Security Bloggers Network Vulnerabilities 
SBN

Developer Education: Learning to Secure Code on Demand

by Katie Horne on July 15, 2021

Scanning your code base frequently to discover security risk early in development gives engineers more time time to address issues. But security risk is a challenging issue and most developers need more than just time.

Consider:

  • Over 60% of identified vulnerabilities aren’t fixed.
  • It takes ~three months to address an identified vulnerability.

These facts mean that AppSec teams can become easily overwhelmed, leaving security issues untouched and your application vulnerable.

So, what can you do to improve the likelihood and pace of getting issues addressed?

Teach your AppSec engineers how to fix things so that it’s easy for them to do so.

Some background

But, let’s back up a bit. Before we talk about security education, let’s take a step back and look at what the vulnerability mitigation process might look like today.

Suppose you want to remediate an XSS vulnerability. To get more information, you go to Google and look for information on what this type of vulnerability is, why it is problematic, and so on:

Once you know what an XSS vulnerability is, you’ll probably look for information on how to mitigate it. You see this option in your search engine results, and it seems to be a perfect fit:

But it turns out that that option is not so good after all (though if you didn’t do additional reading into this suggested option, you would not know about this):

Meeting Developers’ Needs for Education

When it comes to educating developers regarding vulnerability mitigation, the following are essential things to consider:

  1. They need reliable information: as we can see, without proper guidance, developers default to searching for information and can occasionally be shown inaccurate information.
  2. The information they need is highly specific: Many developers aren’t trained in application security, so they need clear guidance on the different vulnerabilities and their impacts.
  3. The information they’re given should be in their context: many developers currently find existing vulnerability mitigation processes to be challenging to work with.

As you can imagine, not all training for developers regarding application security is created equal. As such, we’ve launched ShiftLeft Educate, which is our context-sensitive, comprehensive offering designed to help developers learn the information they need when they need it.

Introducing ShiftLeft Educate

As we mentioned, ShiftLeft Educate offers context-sensitive and comprehensive application security education for developers.

Context-Sensitive

ShiftLeft’s education offerings are integrated into NG SAST, our static analysis offering. It is language- and vulnerability-specific information.

When you analyze your code, and NG SAST identifies a vulnerability, you’ll also get information under the Security Training area. The information that you’re presented with is language- and vulnerability-specific.

For example, suppose you scan a Java app, and NG SAST identifies an XSS vulnerability. In that case, your Security Training area will include information about XSS vulnerabilities with all examples and code samples written in Java.

With this feature, your developers will see only the information they need when they need it.

Comprehensive

ShiftLeft’s Education platform is comprehensive. We offer certifications, which prove that your developers have completed training in a series of related topics. We cover all the languages currently supported by NG SAST, including Java, C#, and Python.

ShiftLeft will also track coursework completion on your behalf, and if you need assistance, our Support team is available to help.

Conclusion

One of the challenges regarding vulnerability mitigation is that many developers simply aren’t trained in application security. To help fix this, ShiftLeft’s Educate platform can help you speed up your vulnerability mitigation rates by providing your developers with the context-sensitive, comprehensive education they need to tackle security issues.

Developer Education: Learning to Secure Code on Demand was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Katie Horne. Read the original post at: https://blog.shiftleft.io/developer-education-learning-to-secure-code-on-demand-4dee53e27d92?source=rss----86a4f941c7da---4

Katie Horne , , , ,