Originally posted on the Outpost 24 blog.
Increasingly, boardrooms are starting to recognize a simple fact: Being hacked is a question of when and not if. It’s increasingly being recognized that most companies have experienced some type of data breach, often without their knowledge. This all adds up to estimates that a cyber-attack occurs every 39 seconds, if you believe such statistics. That puts huge pressure on organizations to decrease the likelihood of not only adding to this statistic, but also fulfilling their duty they have towards their users, employees, and customers.
There are many approaches people have taken throughout the ages. The newest movement within the industry is that of “shifting left”.
Shifting left means that your organization does its best to avoid issues before they occur. It means being proactive instead of reactive, and addressing issues and risks as soon as they are identified, rather than kicking the can down the road.
This principle is especially relevant and has been adopted throughout the Dev(Sec)Ops process. Security has historically been one of those non-functional requirements that organizations would forget. But by making it a core requirement throughout a business process and making it a core part of an organization’s cultural fabric, it gets shifted towards the left in the development lifecycle.
This can be done through hiring more security people to integrate into the different business functions and development teams, working with external consultants, equipping your teams with commercial tools that help detect issues, or even just increasing security awareness and training. It’s all about shifting to left and ensuring that people always have security in mind to avoid risks rather than purely reacting to them once they occur.
As customer demands grow and development teams become more stretched, it’s more important for all IT staff to embrace security and take it more seriously. The DevSecOps phenomena grew in 2019 and it’s more common for forward-thinking organizations to embrace this approach and invest in automation to test for security holes and training. By shifting the secure thinking as far left as possible to include developers, risk mitigation becomes part of everyone’s job description and baked into your development culture.
With GDPR having come into effect in May of 2017 there is now even more pressure to keep data secure. When a business experiences a data breach it is no longer only a case of damaged image and lost costs, which are big enough issues on their own, but businesses are also now required to report the breach. Not only that, but they are held accountable by the law and we are already starting to see organizations fined for not keeping their data secure.
The first of these was when British Airways was fined 138 million GBP due to a data breach.
Similarly, we’re just a month away from the California Consumer Privacy Act (CCPA), which will take effect on January 1st 2020. Under CCPA, a data breach involving a Californian resident can cost you from $100 to $750 per record. And that’s not accounting for if the actual damages are higher, in which case determines the fine.
IT teams, particularly developers need to be aware that data breaches can stem from vulnerabilities hidden within code, and if it’s spotted early can be picked up by cyber criminals and exploited. Its time organizations give their developers accountability. But how can development managers gain traction and change culture?
It costs companies a lot more money to fix a defect once it’s on production than to catch it during development. The money saved from this outweighs the extra time to perform code reviews many times over. It’s important to ensure that feedback is given and received through all stages of the development process. Making developers more accountable and putting the feedback closer to where mistakes are made, it drives a culture where individuals become more security aware and take ownership of the consequences if a breach were to happen.
More and more businesses are investing in developer training and management is becoming more interested and beginning to understand the need for this.
By training your team in security best practices, you empower the whole team. You empower them in a skill that many consider to be essentially black magic. Implementing a safe code culture and security training program means developers take more responsibility and feel a greater sense of mastery and feel more challenged. This is a drastic difference from the traditional feedback loop where a penetration test report lands on their desk every so often and they must explain to themselves why flaws exist. A rather demotivating feedback loop that everybody hates, which is more costly and less efficient. If developers can take time out to train in safe code practices in an interactive and fun environment, it’ll help skill up your workforce and encourages them to become a secure code warrior and advocate for your business.
We all know how inherently competitive developers are, so by adding a gamification element to this allows them to benchmark their performance, including real-life hacking scenarios to encourage them to get involved and receive the optimum benefits. The team feel more engaged as they compare their performance to their peers by tracking their scores on an interactive leaderboard.
No matter how your organization chooses to tackle security issues, a reactive approach will no longer cut it in the current threat landscape. In the best case, those who do not take the time to devise an effective shift left strategy will be left behind and lose their advantage in an environment where security has become a competitive differentiator. In the worst case, it could become an existential threat if there is a failure to put any effort towards it
Making the most of your security investment is paramount and implementing developer training and adding a robust Appsec solution could boost your resources and create greater value as staff feel more invested and motivated to promote security best practice. By giving them the tools to ‘self-start’ means you’re less likely to be hacked and have a harmonious workforce who all consider security a priority.
Is it worth adding here that more businesses are investing in developer training and management are more interested and bought into the outcomes?