Clock5 Minute Read

Why learning to think offensively is key to writing secure code

With cybercrime on the rise and data privacy regulations increasing, it's crucial that developers write secure code and that organizations take the initiative to train them regularly and effectively.

Cybercrime is an ever-increasing issue in contemporary society as we become more and more reliant on technology, not only to run our every-day lives, but to store our personal and private information. Almost every aspect of our lives relies on software in some shape or form and yet shockingly most universities don’t even require computer science students to complete one single course in security. Additionally the OWASP Top 10 software vulnerabilities are largely the same as they were 15 years ago. 

Stormtrooper toy on desk(Photo by Liam Tucker on Unsplash)

In order to tackle this growing problem, we need to go directly to the source and start training software developers and other IT professionals in an effective manner that sticks. Since many programmers have not had much, if any security education, businesses need to take on that responsibility themselves and ensure their staff are adequately trained. This is not only to minimize the chance of a costly hack and a PR disaster, but to comply with stricter regulations and avoid fines such as the 183 million GBP fined last year to British Airways. On top of that, it’s simply important for corporations to be responsible and protect our data, privacy, and increasingly our physical safety as well. 

It’s time for corporations and educators alike to step up and start training developers in a fun, effective, and efficient way. The three methods below are great on their own, but when combined they become exponentially more powerful. 

Interactive training secure coding training

Woman learning secure coding

As with any kind of learning, most people learn more when they learn through doing. According to Edgar Dale’s cone of experience, we retain about 5% of what we learn from a lecture and about 10% of what we learn from reading. On the other hand, we retain about 75% of learning through doing and even up to 90% when we take that a step further and teach others. We’ve had this information since 1946 and yet most corporate training still relies heavily on lecture-based education. 

Dales Cone of Experience-1

Not only are lectures often boring, they also depend on the availability of all the staff needing training to be available at the same time and be in the same place. As teams become increasingly more distributed, it’s often not easy to get everyone in the same room at the same time to attend a lecture to begin with. 

When training takes place online and on-demand, through interactive lessons and exercises not only can it be done at any time, any place, it means that the entire team is not off work at the same time. Team members can choose to work on training on a day when they have a lower workload or they simply need a change of pace, which is good for the overall wellbeing of the individual as well as the company as it helps to prevent burnout and boredom. 

Learning through gamification 

Hand throwing joystick

(Photo by Nikita Kachanovsky on Unsplash)

When we combine on-demand, interactive training with fun, it becomes even more powerful. When we have fun doing something, we’re not only more likely to do it without being asked, we’re more likely to remember what we learned in the first place.

Most people seem to inherently know this, it simply makes sense, and yet corporate training as well as higher education institutions almost entirely use lectures and slide shows for teaching. I don’t know about you, but there have been few lectures I’ve attended in my life that I could call fun. Even those that I’ve enjoyed with a very engaging lecturer or speaker, I remember almost nothing from. 

At the same time, we’re living in an age with endless learning opportunities. There is a rise of learning apps and tools to teach us various skills like learning a new language that uses gamification to keep us engaged, interested, and wanting to learn more. It’s no coincidence that apps like Duolingo are so popular. My mother has lived in a foreign country for about 20 years and only started making real progress on learning the local language after downloading the app, despite attending multiple language courses. 

It’s time for us to apply the gamification methodology to corporate security training. 

Gamified online security training tools are not only more interesting, they’re more effective and often the more economic choice. And in some cases, implementing game-like training programs helps to foster a culture of security within the organization and create healthy competition amongst the team to want to be the best in security. 

Understanding the hacker’s perspective

Man with mask writing code

(Photo by Nahel Abdul Hadi on Unsplash)

Now we know why interactive training and fun learning is important, but what about the perspective from which we learn? Cybersecurity is security. Would you train a police officer or security guard to only defend and nothing about how criminals think or how they would exploit certain situations and victims? Seems like that would not only be irresponsible, but also very ineffective. Yes a police officer needs to know how to protect themselves and the people they protect, but part of knowing how to protect is understanding the potential moves a criminal might make to begin with.

It’s no different when it comes to learning secure coding. Learning through doing and having fun while doing it goes for any kind of training. But when it comes to security training specifically, it’s also incredibly important for those writing and reviewing code to understand how a hacker thinks, what their moves are, and how they exploit vulnerabilities. 

You can only play defense, if you understand your offense. 

Only learning in a hands-on, fun manner to think like a hacker and understand how they can exploit your organization’s code and protective measures, can developers learn to write code that is less likely to be broken into to begin with. Mistakes will still be made, we’re all human, but getting the entire development team to start learning how to defend from thinking more like the enemy can only be a good thing. Relying purely on testing, a dedicated security team or firm to catch issues, or worse waiting to be hacked and then fix it is nothing short of irresponsible.  

Marta Schluneger
Try our secure coding platform for free
Try now