Raise the AppSec Bar in Federal Government: Train Developers to Code Securely
Federal agencies are developing and releasing software and apps at a rapid speed. This haste comes at a price. Verizon reports that nearly 70% of the data breaches it investigated in 2019 were due to attackers targeting vulnerabilities in public-facing web applications. It also introduces compliance risk. Federal mandates such as FISMA, NIST 800.53, DISA STIG, and others require that security controls be baked into the application development or DevOps lifecycle.
A lack of skills leads to a lack of confidence in AppSec
The primary reason apps contain vulnerable code is due to quick releases. The Ponemon Institute found that 69% of IT and security practitioners blame the pressure placed on development teams as the main reason why apps are released with vulnerable code. Yet, there is a severe lack of urgency in addressing the issue.
Part of the challenge is that 69% of software engineers are self-taught or not required to take a security course for graduation. SANS’s State of Application Security report finds that the lack of skills, tools and methods is one of the top three challenges to implementing AppSec.
The challenge is that traditional learning environments – classroom training and online courses – fail to achieve developer secure coding education (SCE). They are out-of-context to the everyday activities that developers perform and often mundane.
Empowering developers to take security into their own hands
The best way to train someone on a certain activity is while they are doing that activity. With this in mind, DLT partner, Checkmarx, introduced gamification and contextual learning into AppSec training.
Checkmarx Codebashing is a gamified platform that trains developers how to code securely and it fits into their daily routines. Rather than learn about security vulnerabilities out-of-context, developers receive bite-size, on-demand sessions that are relative to the specific challenges they are facing in their code.
Find and fix in one go
Checkmarx is unique in that its Codebashing solution integrates with static AppSec testing (SAST) and highlights the line(s) of code where software defects are detected and points to quick remediation guidance. This teaches the developer why the problem happened, how to fix it, and how to prevent making the same mistake again. This DevSecOps approach helps accelerate DevOps projects, without the security risks.
Near-instant feedback just a click away greatly reduces the time required to fix vulnerabilities, decrease repetitive defects, and results in better application security overall.
Meet compliance standards with ease
Achieving compliance with federal mandates and security standards like FISMA, NIST 800.53 and the Risk Management Framework, as well as DISA’s Security Technical Implementation Guideline (STIG), can be challenging in a DevOps environment. By training developers to code securely and integrating security testing into DevOps, Agile, and CI/CD environments Checkmarx simplifies security compliance. To prove it, Checkmarx has a Certificate of Networthiness (CoN) from the U.S. Army ID 38392. Indeed, SAST is unique in the public sector – no other federal-grade platform addresses core security issues with a single easy-to-deploy and use solution.
AppSec awareness is a common obstacle in all agencies
To address such obstacles and way forward, DLT recently held a webinar with industry experts on An AppSec Awareness Program for Developers – The Critical Steps to Success. The recording can be accessed here. Below are some additional resources. DLT is always available to answer your questions and assist you to solve your technology challenges. Reach DLT at firstname.lastname@example.org.