The challenges faced by IT security teams are increasing by the day. Wider attack surfaces and the emergence of more sophisticated techniques have resulted in approaches that may have worked in the past no longer being sufficient to ensure effective protection.

Increasingly, organisations are recognising the need for better security strategies based on industry-leading advice. Going it alone is not an option.

For this reason, attention is being focused on the Secure-by-Design approach promoted by the US-based Cybersecurity and Infrastructure Security Agency (CISA). The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has joined forces with CISA to promote the approach among Australia’s public and private-sector organisations.

Although the Secure by Design guidelines are currently enforceable only to those organisations that are software vendors to the government, they signal a broader industry shift toward striving for higher standards of software security and quality. To achieve this, enterprise security programs must make developers a major component of security cultures and strategies.

The security challenge stems from the fact that software developers all too often rely on poor coding patterns and insecure components to complete tasks in the shortest possible timeframe.

Although this should not be an acceptable standard, it is the environment in which they are forced to operate. Unfortunately, no certification or industry benchmark has traditionally been applied to help steer them in the right direction or identify knowledge gaps.

In today’s world, this is as nonsensical as if there were uncertified architects and engineers creating high-rise apartments. The time to change is now.

Achieving improved levels of security

CISA’s Secure by Design movement has already gained significant momentum. As well as Australia, New Zealand, Canada, Singapore, Japan, Germany, and the United Kingdom are contributing to its creation or following it directly as part of their own cybersecurity strategies.

They are also working to push for more software manufacturers to adopt memory-safe programming languages, essentially eliminating nasty buffer and integer overflow vulnerabilities. These guidelines represent a sound framework for software vendors to improve the effectiveness of their security programs.

However, two key focus areas in the secure product development advice will be difficult to achieve without the right data points to inform a skills benchmark among an enterprise development cohort.

These areas are:

• Providing secure defaults for developers:
  It’s important to make the default route during software development the secure one by providing safe building blocks for developers. For example, given the prevalence of SQL injection vulnerabilities causing real-world harm, ensure developers use a well-maintained library to prevent that class of vulnerability.
• Fostering a software developer workforce that understands security:
  CIOs need to ensure their software developers understand security by training them on secure coding best practices. Also, they need to help transform the broader workforce by updating hiring practices to evaluate security knowledge and working with universities to weave security into computer science and software development curriculums.

Increasing pace of code generation

Growing dependence on security tools and little focus on the root cause of many vulnerabilities have led to known issues not being effectively targeted. At the same time, the volume of code being produced to meet demand is out of control, especially with the rapid adoption of AI coding tools. As a result, developers unfortunately remain an afterthought in most cyber-defence strategies.

The current culture also doesn’t promote developer-driven security, and with little relevant training and impact on their KPIs, the traditional motivators to inspire action are lacking.

Organisations will not see much change until developers are incentivised to care. Also, security programs are needed that can effectively measure their security skills baseline to prescribe the correct learning pathways.

Security maturity must go beyond dependency on tooling and AppSec-side experts and include deliberate measures to train and harness the power of security-skilled developers.

Achieving Secure-By-Design outcomes

One of the uncomfortable truths that needs to be considered is that, globally, organisations are currently unprepared to enact a high, consistent standard of software creation that follows secure-by-design principles. This needs to improve exponentially, and precision measurement of organisational security maturity—and individual developer security skills—will be paramount in facilitating the right growth and knowledge building.

Ultimately, enterprises will benefit from getting to a more harmonious state of measured security competency in the development cohort, in such a way that facilitates more strategic deployment of personnel.

Security-aware developers are by far the most sought-after and should earn the privilege of running the most sensitive, prestigious projects in their organisations. The same deep insights that qualify them for these tasks should also inform the rest of their teams on where their knowledge must improve to reach the upper echelon, and, over time, lift code-level security maturity overall with the adoption of new standards of quality and security.