Despite the prevalence of security tools and services, companies are still struggling to keep up with the ever-evolving threat landscape.
This can be attributed to the lack of security awareness and training amongst developers, which can lead to risky code being released and exploited by malicious actors. While security measures like antivirus software or strong vulnerability-scanning solutions can add a layer of security, our guest today explains that it all starts with a security-focused development team.
To discuss how developers can be trained to identify and mitigate security threats, we sat down with Pieter Danhieux, CEO & Co-Founder of , a company offering a learning platform and suite of developer-focused tools that assist development teams in navigating security vulnerabilities.
What has your journey been like? How did the idea of Secure Code Warrior come about?
As a young nerd, I was fascinated with taking technology apart to discover what was inside, and how it worked. Much to the relief of my family and our shared appliances, I eventually moved on to take the same approach with hardware and software, looking for ways to breach and break it. A lifelong passion for security was born, and for many years, I focused on sharing my “breaking” skills with students, colleagues, and the security community, showing how to find, use, and abuse errors in software. Later on, I re-focused on upskilling the defenders, teaching developers good, safe coding patterns in a classroom environment, and helping them to understand common vulnerabilities and how to avoid them. I also worked in consulting, where I advised large companies on how they could improve their security programs, especially when it came to developer involvement. It was during this time that I connected with what is now my founding team at Secure Code Warrior. Together, we understood the pain points that both security and development teams faced when it came to code-level vulnerabilities, as well as the issues that existed with most of the training solutions that were targeted at improving developer security skills. We set to work on our vision of a learning platform that could be scaled at the enterprise level, while still remaining fun and engaging for developers. Ultimately, we wanted to create a suite of tools that are tailored to the developer’s working environment, are less disruptive, and help them to build a security-first mindset. And we set out to make this as language-flexible and content-rich as possible.
Can you introduce us to what you do? What are the main challenges you help navigate?
Ultimately, we support enterprises to speed up their software development by removing the security friction and delays often introduced by the usage of bad security patterns in code.We have created a learning platform and suite of developer-focused tools that assist development teams in navigating common security vulnerabilities, many of which have existed for decades and continue to expose companies to cyber risk today. The reason they persist is that developers lack the training and skills to remediate these code-level issues, and often introduce them in the first place through the continued use of poor coding patterns and techniques.They are not taught secure coding at the tertiary level, and most workplace training programs are ineffective in delivering content that is relevant to their everyday work, in addition to being too infrequent to truly have an impact on code quality and security over time. Our solutions seek to provide engaging, relevant skill development that changes coding behaviors and helps them put security first in the real world. We are increasingly integrating with the environments that developers are most familiar with, and our focus on contextual learning gives users the best chance of retaining key education outcomes.We also strive to do this in a way that helps developers see security in a positive, fun light that rewards success and builds community.
Since learning about secure coding might sound tedious to some, how do you manage to keep your training effective yet entertaining?
Our flagship learning platform is designed with developer engagement front of mind. One of the most popular features is the Tournament mode, where participants can test the knowledge they have picked up during training against their peers. Points are scored for each correct answer and a live leaderboard updates throughout the tournament session.We have run these at community events and conferences, and some of our customers have done incredibly intricate themes where everyone comes in costume. It’s a great team-building experience and the perfect time to celebrate the commitment to upskilling with pizza, prizes, and a break from the normal routine.In addition, our content in general is available in more than sixty programming frameworks, using real code snippets that they will actually see in their day-to-day work. It is so much easier to stay engaged when the content is hyper-relevant and assists in solving real problems, as opposed to watching videos or an annual compliance exam.
What would you consider the main challenges developers run into nowadays?
I think it’s important to establish that developers want to do well, but they haven’t been adequately enabled for security in their education or careers. This is key to many of the problems they face from a security perspective.They also tend to see security as sitting outside their scope of responsibilities, and in the vast majority of organizations, their KPIs do not include anything related to secure coding outcomes.If we are to see a change in the volume of code-level vulnerabilities, this status quo needs to be broken. However, developers need the right support and tools to be the change we want to see, and the challenge lies in effective enablement, giving them time to train, and investing in that upskilling now to achieve security at speed later.
How did the recent global events affect your field of work?
While every business undoubtedly felt some effects of the current global climate on their targets, projections, and budgets, we have been fortunate to weather the storm to date. Cybersecurity is a non-negotiable element of most enterprises, and we work hard to remain part of that conversation with clients and prospects.
What are some of the best practices organizations should follow when developing software or applications?
Each organization will have its nuances, but generally, the companies that are operating with the best security practices are willing to think outside the box and try different approaches. They don’t forget the power of people to make a positive difference in security outcomes.For the most part, developers are not a huge consideration in a security program. However, in the face of a worldwide security skills gap that is unlikely to be filled any time soon, security-enabled developers can help reduce risk and achieve compliance from a software creation perspective. They can make an impact at the earliest and cheapest possible stage of the process.
Besides secure coding tools, what other measures or practices do you think not only can enhance but also secure business operations?
Every business should have some sort of role-based security training. There are a plethora of threats that exist outside of code-level exploits that threat actors seek to leverage, so every single person in the organization needs to have some regular grounding in security principles as they apply to their jobs.In that sense, everyone from the office manager to the accounting team should understand and embrace the role they play in cybersecurity action and awareness.
Given the current economic climate CISOs are under a lot of pressure to keep businesses secure at the lowest cost, what advice would you have for them?
CISOs do need to employ some creativity in this climate, especially as cybersecurity legislation becomes increasingly demanding and, in some cases, leads to CISOs being held personally accountable in the event of a breach. Add layoffs to the mix, and you have a situation where fewer engineers will be expected to take on more responsibility while writing the same volume of software. CISOs can help the business enable their success by addressing one of the major roadblocks that slow them down: security.
By far the cheapest stage to address code-level security vulnerabilities and misconfiguration is before the software has shipped, which naturally puts the developer in a prime position to reduce that risk. However, they need tailored support to achieve this. Security at speed is possible if they supply the engineering cohort with tools that are developer-first, taking into account their current workflow and tech stack. They need enablement to achieve security accuracy at high velocity, and this is best addressed by showing them how to use secure coding patterns and fix things faster.
For the cost of comprehensive developer training, you can essentially work towards eliminating vulnerabilities at the source, saving time and money later in the software development life cycle (SDLC). With the frequency of large-scale attacks and more liability for CISOs than at any other time in history, we must stop blaming a cybersecurity skills shortage for falling behind. Prioritize defensive security practices and elevate the personnel that is already right in front of you.
What does the future hold for Secure Code Warrior?
We want to continue innovating, with the developer front-of-mind in the solutions we bring to market. We’re focused on enabling them to deliver security without compromising the speed of feature delivery, or their sanity as they juggle multiple priorities.
We aim to assist organizations in revolutionizing their defensive security program, and we want security-enabled developers to be the heroes of that story. Watch this space.