“All You Need Is To Do 1% Better Every Day”: How Cybersecurity Training Can Reduce Software Vulnerabilities
Jared Ablon, co-founder and CEO of HackEDU, shares his insights on the application threat landscape, training best practices, and the current shortage of security specialists.
Cybersecurity is steadily rising in importance across all industries as companies increase their digitization efforts. These days, everyone needs to be concerned with cyberattacks, as online predators and hackers seek out ways to gain by exploiting any and every vulnerability they can find.
Network hacks and data breaches are a persistent threat for businesses. There is a hacker attack every 39 seconds, which is particularly concerning when you consider that 75% of businesses have no formal cyberattack response plan in place.
Cybercriminals use detailed technical knowledge and sophisticated tactics to compromise data. To prevent the kind of havoc and damage they can bring about, it pays to understand the dangers.
We spoke to Jared Ablon—co-founder and CEO of HackEDU—to discuss how developers can become key players in the effort to reduce vulnerabilities and increase the security posture of software within an organization.
Ablon, who began his career working for the United States Department of Defense, has worked in cybersecurity for 18 years and has spent several those years helping companies improve their cybersecurity posture.
Alongside HackEDU co-founder Matt Koskela, Ablon observed that there was a clear need for cybersecurity training for software developers, particularly in the application security space. Using this knowledge, they began developing their training platform.
“We saw that it was a really good time to start something in hands-on cybersecurity training,” he explains. “New technologies were coming online which made it easier to do hands-on training online, whereas before it was much more difficult.”
Today, their customer base includes any companies who create software internally, and they have trained software developers from small startups to Fortune 100 companies.
“Our goal is really to find out; how do we reduce vulnerabilities in software? We’re doing that through best-in-class training.”
HackEDU’s Approach To Learning
To train software developers to write more secure code, HackEDU has taken a “hands-on” approach, inspired by learning science principles. This includes delivering lab-based lessons and a range of features and capabilities that center around engagement and effectiveness.
“How do we improve the engagement? How do we get developers actually wanting to take the training? And also, how do we improve the effectiveness of the training? How do we make sure that developers are really learning and applying what they’re learning in practice to reduce vulnerabilities in software?” These are the questions that drive their product development, Ablon tell us.
One of the most effective ways HackEDU trains developers is by actually teaching them how to hack systems, something they call “offensive training”.
“We’re teaching developers how to hack, because it’s super engaging.” Ablon says. “Developers find learning how to hack incredibly interesting, as most have never had the chance to develop those skill sets.” While developers may be familiar with the defensive side of security, they don’t typically have much insight into the cybercriminal’s side of it.
“You’re actually teaching them how attackers are looking at their software, you’re teaching about the fundamentals of how these vulnerabilities actually work,” Ablon explains. And since offensive training techniques are more fun and, therefore, more engaging for users, it stands to reason that this approach would work well to help transform developers into successful defensive cybersecurity professionals.
To further support efforts to maintain engagement and effectiveness, HackEDU has developed the HackEDU Rewards platform, which allows organizations to give out rewards to incentivize developers to take part in—and complete—the training. HackEDU rewards include specially branded t-shirts, gift cards, and cryptocurrency, which developers receive upon completing certain parts of the training.
HackEDU also integrates with other software scanning tools which implement SAST and DAST methodologies to find security vulnerabilities in the code that might leave an application susceptible to an attack. After scanning and integrating the results, any vulnerabilities found are outlined and users are automatically assigned relevant training programs.
“So, the training is very targeted and timely. It’s exactly what organizations need when they’re having issues. And a lot of that tooling also is very unique to the HackEDU platform.”
Investing In Security Champions
There is currently a major shortage in application security professionals. And even if all existing positions were filled, there would still be less than organizations would ideally like to hire if they had the funds. Because of this, security is often overlooked as part of the app-building process and left until the end of the traditional DevOps cycle. This inevitably leads to more production vulnerabilities and a longer development lifecycle, as vulnerable code is fixed retrospectively, and these fixes can make it necessary for other parts of the code to be changed.
HackEDU’s response to the lack of security professionals in the industry is their “Security Champion” program. This is essentially the deputizing of your software developers, bringing them into the fold and making them an extension of the security team.
“Security champion programs are a way to help scale application security,” Ablon explains.
“You take a bunch of software developers that are sitting out in their respective teams, and they become security champions. You give them additional training, additional tools, then you build relationships between them and the security team.”
With a security champion in place, expertise can be embedded throughout the organization as a whole, enabling teams to spot and correct potential security issues before they can become a major problem. This integration of security into the development cycle is known as “DevSecOps”.
This helps developers to operate in a way that aligns with security goals and can also drive a significant reduction in vulnerabilities to the system. As a result, this increases the security posture of software within the organization.
Dealing With The Cybersecurity Skills Gap
In relation to the current shortage of security specialists, Ablon’s view is that the best way to encourage more people to get into security is to introduce better training programs. This is because a good training program can set potential future security specialists up for success and help them to be effective in their first roles.
However, Ablon advises against training people purely to have them to fill open security roles, as he considers this an ineffective way of scaling security.
“I don’t think we’ll ever win if we’re just trying to train people to get into those security positions; we need to figure out ways to do things that actually scale across security.”
According to Ablon, the solution is to focus on getting people who are not a part of the security team to develop more security knowledge and adopt a more security-centric mindset, eventually becoming an extension of the security team. This is the overarching goal of the Security Champion Program.
“If we’re only thinking about the resource issue, we’re going to lose. But if we’re thinking about the resource issue, and how we can take it to the next level and scale––either with or without those resources––that’s when we’ll start to get a handle on doing much better in security.”
Build On The Basics
One of the biggest obstacles for organizations looking to secure their applications today is the lack of available resources, Ablon says. His advice for these organizations is to first focus on the basics, and then gradually build from there.
“Just start with the fundamentals,” Ablon tells us, “You don’t have to go in and do everything all at once. Instead, take it a step at a time and build it into the secure software development lifecycle.”
Over time, these small beginner-level steps, should come together to form an effective program. And with small, regular improvements that continually build, you get the benefit of having it compound over time.
Also, it is important to support your security-minded workforce with the right technology. For the foreseeable future, humans will be involved at all levels of an organization—so those currently involved need to get on board and become part of the solution. However, we need to avoid placing an unreasonable burden on them, or an expectation of unachievable perfection—we need a dual approach that involves automating as much of the process as possible.
“You can’t just say ‘we’re going to focus on the people’ or ‘we’re going to focus on the technology’. Having a real comprehensive program requires both to work together.”
Thanks to Jared Ablon for joining us for this interview. You can find out more about HackEDU and their secure coding training here: https://hackedu.com