Cyber awareness training and developers
Cyber awareness training is very important for developers to understand the potential impact of vulnerable code.
In today’s connected world, every employee is going to interact with computer systems handling potentially sensitive data multiple times a day. They may even access such data through much less secure channels such as USB sticks, or their own phones / home PCs. Awareness of cyber security issues is more important than ever, and the way to protect the company against such threats is to make the employees undergo cyber awareness training.
Each of the interactions with a system is part of its attack surface. An attacker may target the employees with phishing, malware / ransomware, or various social engineering tricks to ultimately gain access to a system or steal data, without even needing to exploit weaknesses or vulnerabilities in software. We can say that the attackers are hacking humans instead of computers and – unfortunately – humans tend to be easier targets.
Cyber awareness training is a well-established practice at this point; an example is the US Department of Defense Cyber Awareness Challenge. Such training makes employees understand the potential risk posed by these threats and help them realize when they’re being attacked. It instills a healthy level of paranoia.
But is user-level awareness the only hurdle to overcome when it comes to securing the company’s digital assets?
Know your enemy – beyond cyber awareness training
Everyone assumes that no software will ever be bug-free, and all development methodologies put measures in place to keep the number of bugs to an acceptable level and fix them in a timely manner. However, an even more important question is whether a particular bug is exploitable (and thus a security vulnerability) and how much damage an attacker can do when exploiting it.
If a developer is aware of security issues and secure coding concepts, they will be writing code with that in mind – validating inputs, not blindly trusting the results of function calls, and handling errors or exceptional scenarios in a robust manner. Thus, even if a bug stays in the code – as long as the developer is security-aware – it will be significantly harder to exploit or not exploitable at all.
The two most important things developers need to understand are:
- The potential impact of a single mistake that results in an exploitable vulnerability. In the worst case, this can be in the hundreds of millions of dollars in damage – WannaCry is estimated to have caused around $4 billion in losses, for instance!
- The role of developers in preventing those losses. Secure coding practices such as defensive programming can help a lot by themselves in severely limiting an attacker’s options when trying to exploit a bug. Being aware of the most common programming mistakes that lead to vulnerabilities will prevent the developer from making them by accident.
To summarize, cyber awareness training is just as important for developers as for end users – though the focus is different.
Who holds the keys to the kingdom?
It is tempting to think that software security is a top-down concept. Systems designed with security in mind that have appropriate security controls and security-aware users should be impervious to attack! However, the truth is that security is much closer to a bottom-up affair: individual mistakes committed by developers can jeopardize the security of the entire system. Conversely, secure and robust code is a large factor in making the system resilient against attacks, even currently unknown ones. Ultimately, the power to secure a system is in the hands of the developers and their security awareness should be a high priority as part of implementing secure coding practices.
Another important aspect of cyber awareness training is that – just like vaccination – it needs to be universal. If there are some developers who are not aware of vulnerabilities and their impact, it is very possible that they will keep writing vulnerable code. Even if the rest of the developers know about those vulnerabilities, there may be a situation where such a vulnerability will slip past a code review or a red-teaming exercise. This is exacerbated if only a handful of security experts (or security champions) are aware of vulnerabilities and are expected to secure the code of everyone else by themselves! Cyber security is everyone’s responsibility, after all.