Is it time to Reimagine AppSec Training?Read Time < 1 minute
A closer look at various industry reports indicate that software vulnerabilities continue to creep into code at an alarming clip.
- A recent report from Veracode points out that two out of three applications failed to pass industry tests based on the OWASP Top10 and SANS 25 industry standards.
- Another 2018 payment security report from Verizon shows that enterprises are commonly failing to comply with one or more requirements of PCI DSS. Common flaws keep repeating year after year, like data leakages, cross site scripting, SQL injections and cryptographic errors.
Despite the shift to DevOps why is software so insecure? Enterprises can focus on a few actionable results.
- Prioritize fixing vulnerabilities in code early in development cycles. Left shifting of security and training developers to write secure code will go a long way.
- Security scans should be part of build/release process by integrating with CI/CD tool chains.
- Ageing software flaws can expose the organization to unknown risks. Ignore software debt at your own peril. Have a cadence for fixing accumulated flaws and keep chipping away at them.
- Regular AppSec training for your developers need to be an essential component of your SDLC process. Make the shift from check box compliance and boring training videos to hands-on training labs where developers learn to identity and fix vulnerabilities on real code samples.
- CISOs and Development Managers need to take the lead in integrating DevSecOps into the development pipelines.
Where are you on our AppSec transformation journey?