How Hands-on Security Training for Development Teams Helps Minimize Hacks

By Steindór S. Guðmundsson, CEO, Adversary

The best strategy to counter cybercrime lies not in technological security solutions, but in well-trained individuals. When developers and other IT staff understand security threats as well as the mindset of hackers they can effectively adapt and defend against attacks.

The challenge

Companies today face enormous cybersecurity challenges, losing hundreds of billions of dollars collectively each year due to data breaches. Cybersecurity is famously hard and attackers are creative. They adapt quickly and are able to circumvent our cyber defenses. Cyber attacks have caused significant damage for individuals and companies and the threat only gets worse. The exponential growth of cybercrime worldwide has been a stark, consistent, and alarming trend.

This great infographic from information is beautiful does a great job at representing this.

According to the European Union Agency for Network and Information Security, the loss from cyber attacks in the EU alone ranges from €1.6 – 10.8 million/year per organization or €208 billion/year (1.6% of GDP) across the financial, ICT, transportation, critical infrastructure and services (healthcare, government and energy) sectors.

In an attempt to minimize loss, businesses spend significantly more resources on reactive security than proactive security measures. This means they focus their time and money on trying to keep their software vulnerabilities from being exploited as opposed to preventing these vulnerabilities from existing in their code in the first place. Proactive security is the only realistic and truly effective strategy to get ahead in the race against cybercrime.

According to a recent Gartner report, 90% of companies consider cybersecurity to be an afterthought and their control strategies are focused on ‘firefighting’ if those attacks do occur, as opposed to preventing them. This suboptimal strategy causes enormous loss derived from cyberattacks since remediating a defect when software is already deployed in production can cost 95× more than in previous stages. Not only that, but it involves system downtime, damages to your brand, loss of customer trust, and even liability costs.

Lack of understanding

An obstacle for adopting a more proactive approach for software security is the lack of adequate training of IT personnel. As a chilling illustration, the most common kinds of software vulnerabilities in 2007 and 2017 compiled by OWASP are largely the same, suggesting a significant lack of understanding of security issues among software developers and an overall failure of education. Since security is defined as the absence of vulnerability, an abstract notion, developers must understand vulnerabilities to avoid making the underlying mistakes.

Furthermore, there is a lack of training both for security-specialized personnel as well as for general users. Companies and administrations are aware of the importance of having an effective security policy and well-trained staff, but how to apply them to improve the security level is an unanswered question that has been addressed as one of the main challenges in cybersecurity by the European Commission [4]. This inconsistency has formed a gap between security policy and its proper implementation within companies.

Conventional training is not enough

The best strategy to counter cybercrime lies not in technological security solutions, but rather well-trained individuals who understand security threats as well as their adversary’s mindset and can adapt to new attacks. Unfortunately, proper training has been lax, owing to inappropriate and ineffective training methods, a lack of follow-up, and a dearth of qualified mentors. The availability of application security training is scarce. Even in universities teaching computer science, security is an optional course at best.

Within companies, developers are typically trained in writing secure code through an annual or semi-annual presentation covering the OWASP Top 10. Such presentations, however, have limited impact since people are unable to fully internalize and understand the security issues and to avoid the problems in practice.

The need for interactive learning

Research has shown that with passive learning (reading, hearing, watching) most people only remember 10 – 30% of the content 2 weeks later, whereas they remember close to 90% through active learning, or doing it yourself [5]. Barring proper training, developers will continue to write insecure code, which can be costly for a business when vulnerable code gets exploited resulting in a massive data breach.

Companies have the option of organizing an internal seminar with the caveat that it has to be held multiple times to get full participation as projects, vacations, traveling, and other priorities override people’s attendance. This involves a lot of planning and requires a budget which results in these seminars being few and far between, meaning that new employees deliver a lot of code to production before getting any security training at all. Alternatively, companies send people to external security seminars, which often results in only a handful of developers attending, leaving the rest without any training.

Why hands-on security training

We learned through our sister company, Syndis, just how important it is for security training to be interactive. Syndis offered secure coding training in the form of an annual lecture with slides that covers the OWASP Top 10, but they soon learned that this is not the optimal way to get the message through and therefore created a more hands-on alternative training tool. That tool turned into Adversary and that’s how our product and company was born.

We also learned how important it is for that writing code to understand how a hacker thinks. Only by understanding one’s opponent, can you effectively protect against them. That’s why users of the Adversary platform complete missions based on real-life hacking scenarios. Their task is to hack into various virtual websites while at the same time learning about common vulnerabilities such as the OWASP Top 10 and how to avoid making the same mistakes themselves. We all know that we learn more when we have fun in the process and our mission is to make security training as fun and therefore effective as possible.

References

  1. ENISA – The cost of incidents affecting CIIs
  2. RSA Conference 2017
  3. IBM Security – The cost of data breach
  4. European Commission (2017). EU cybersecurity initiatives working towards a more secure online environment
  5. Dale’s Cone of Learning

About Adversary

Adversary, headquartered in Reykjavik, Iceland, builds an online, hands-on cybersecurity training platform for development teams. Adversary helps companies minimize the risk of data breaches by equipping them with the knowledge needed to avoid costly attacks before they happen. The platform puts trainees in the shoes of the hacker as they complete training missions, earn points, and advance to harder missions. This hands-on approach to training teaches IT professionals about why vulnerabilities such as OWASP top 10 arise and how to avoid them from occurring.

About the Author

Steindór S. Guðmundsson, CEO, Adversary. Steindór has over 25 years experience as Chief Product Officer, Development Manager and originally Developer in the technology and gaming industries.  He has participated in many public and private initiatives and been the co-founder of several tech startups. Steindór can be reached online at steindor@adversary.io and at our company website adversary.io