Tailor security training to developers to tackle software supply chain risks

A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. Standard cybersecurity awareness training won’t be effective with developers, experts say. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.

The risks of insecure software were laid bare in early 2021 by the Sunburst supply chain attack in which threat actors infiltrated a commercial software application made by SolarWinds to target a wide range of organizations, individuals, and government agencies. The attack was not only complex and difficult to detect, but also wide reaching, impacting tens of thousands of victims. Furthermore, it served as a prompt to cybercriminals of the vulnerabilities surrounding software supply chains and the potential benefits of specifically targeting development lifecycles, including developers themselves.

Organizations fail to address software development cyber threats

Several months on from the SolarWinds attack, a new report from Osterman Research suggests that organizations have yet to address the underlying people-related security issues that can lead to such software supply chain compromises. Imperfect People, Vulnerable Applications outlines the human elements contributing to cyber risk in the software development lifecycle (SDLC) based on responses from 260 people in application development and security roles across the US and UK. It reveals that 45% of development teams feel their understanding of the latest application attacks is lacking, with the vast majority (81%) admitting to knowingly pushing vulnerable code live. What’s more, just 27% of front-line development professionals consider application security their responsibility, despite 80% of their senior managers believing it is.

The findings are no more positive from the perspective of cybersecurity professionals. Only half of CISOs (50%) have confidence that secure applications can be developed, while 45% of security workers believe developers do not understand the latest threats to application security. In fact, 56% of security teams believe their company would not be able to withstand a SolarWinds-style attack on their software build environment.

Insufficient cybersecurity training exacerbates software supply chain risks

This lack of alignment and understanding is exacerbated by outdated, insufficient, and irregular cybersecurity information sharing, education, and training for developers, the report deduced. The legacy, classroom-based approaches don’t engage developers or impart the knowledge required to match the fast-paced threat landscape and dynamic technology fundamentals of the SDLC.

Security awareness training has, for a long-time, failed software developers, concurs Tiffany Ricks, CEO and founder of US-based automated security and awareness training provider HacWare. “The tricky thing about security training for developers is it has to be relevant content, at the right time, to promote innovation.”

Another sticking point is that so many new developers are from various educational backgrounds, Ricks adds. “They do not understand how to get started with secure coding and they need coaching.” Osterman’s report discovered that half of new employees joining an organization are not provided with effective training on application security, while only 45% of front-line developers are given the necessary time to learn how to create secure applications. “Continuous and targeted security awareness training is therefore essential for software developers,” she argues.

So, how should organizations and their security functions approach such tailored security awareness raising efforts for developers?

Recognize that developers are a target for cyberattacks

For HD Moore, co-founder and CEO of Rumble Network Discovery, and founder of the Metasploit Project, a good place to start is recognizing that developers themselves are at growing risk of targeted attacks. “Security training for development teams is often focused on code safety and doesn’t touch on compromised dependencies or the possibility of personal accounts being targeted,” he tells CSO. “Developers not only write code for a living, they run it, too, and that puts them at increasing risk of targeted attacks. In terms of attack surface, development teams are exposed to a huge number of third-party resources and services, and existing security training programs rarely take this into account. For example, a malicious pull request [on GitHub] for an open-source project may be a quick way to steal credentials from the project developers, especially if well-disguised with other changes.” Moore notes that it’s difficult to spot vulnerabilities intentionally introduced through compromised or look-alike dependencies during a casual review.

Organizations should therefore improve their security awareness programs to account for targeted attacks against personal accounts, malicious and compromised dependencies, and phishing attacks in general, says Moore. “Security programs that monitor unusual use of developer credentials have a leg up in terms of responding to successful attacks.”

Address highest risk software supply chain threats

Place focus on providing early and regular intelligence on the software supply chain risks that are most likely to cause significant damage to the business, such as malicious third-party software updates and compromised open-source code, says Mark Orlando, SANS instructor and co-founder and CEO of Bionic Cyber.

“The ubiquity of these programs and packages makes them attractive targets as they enable an attacker to bypass most security controls,” says Orlando. “Compromises can also be difficult to remediate once these compromised components have been included in an internal system.” He cites the Codecov, SolarWinds compromises, and malicious libraries uploaded on the Python Package Index in 2018 as examples of malicious updates that you should expect to continue in the future.

Build security controls and monitoring into development processes

Security teams should work together with development teams to build security controls and monitoring into the development process, as opposed to attempting to bolt things on post-development, Orlando says. “Securing software development is different from securing other infrastructure in the sense that we can’t wait for a system to enter production before we start to care about it. It requires partnering with and supporting development teams versus imposing additional work that may cause delays. The goal of this partnership is to weave assessment and remediation processes into the deployment pipeline as early as possible.”

This means injecting security requirements into development sprints, providing timely feedback on bugs, and enabling development to meet its deadlines without sacrificing security, Orlando explains. “The security team must also act as a resource to keep developers apprised of application and infrastructure-specific threats and provide constructive guidance on how to address issues.”

Don’t omit data compliance in software development training

It’s becoming increasingly important to address the complexities of data storage requirements for personally identifiable information (PII) under regulations such GDPR, PCI DSS and others in developer-specific cybersecurity training, says Ricks. “It is the developer’s job to build the code so that the data is no longer identifiable. Their security awareness program needs to touch on best practices for encrypting data and anonymizing it so it follows compliance standards for storage. If the end-user requests their data or wants it removed from the system, the engineer has to know the best practices for coding this feature.”

Make cybersecurity training for developers engaging

Whatever form of cybersecurity training, education, or information sharing a security team opts for, the most important aspect is that it is as engaging as it is relevant for developers. “Effective training must involve collaborative, interactive skills building and micro-drilling—not videos, multiple-choice questions, and tabletop exercises,” says Sean Wright, lead application security SME at Immersive Labs. “Also, practical, real-world training is hugely important. Developers love coding, so getting them to actually code and get hands-on with some real vulnerabilities as part of the training makes it significantly more engaging, which means the information will stick.”

Tying this into real-world business examples is particularly effective. Wright encourages the cybersecurity function to instill a “why” mindset among developers. “Why should I be concerned about this vulnerability? What does it mean for my organization if I leave it in? What is the broader impact? Training that gets this message across more effectively is more likely to result in better engagement, both in terms of willingness to take part in the training, as well as ensuring the information from the training really sinks in.”

It’s no secret that the SolarWinds compromise has increased overall awareness of cyberthreats surrounding software development teams, processes, and supply chains. However, common application attack methods such as SQL injection and cross-site scripting have been around for decades now and yet are consistently present in several of the top vulnerability lists whilst regularly flying under the radar of security programs. Organizations are still seemingly failing to truly address the people-centric, awareness-based issues that lead to such compromises, but as the ramifications of application supply chain vulnerabilities have proven this year, they are doing so at their peril.

Time and resource issues within security teams will prove a potential hurdle to overcome in garnering a more collaborative, intel-sharing culture with the development function (Osterman’s report discovered that 56% of security respondents do not have the necessary time to help the development team secure applications) but surely the old adage ‘Give a man a fish, and you feed him for a day; show him how to catch fish, and you feed him for a lifetime’ has never rung truer from a modern, organizational cybersecurity perspective.