Software development teams are facing growing pressure to shorten their development lifecycles and push products and updates faster than ever. The sooner a finished application is launched, the greater the chance of meeting customer demand and stealing a march on the competition to claim market share. Likewise, getting fixes and new features live quickly makes it easier to keep customers happy.
But while time is money, more speed can also quickly introduce more vulnerabilities into the application. While a certain level of risk is acceptable, no developer can afford to have a major security breach undoing all their hard work.
To make matters worse, cybercriminal groups are increasingly preying on this need for speed, exploiting critical open source resources to infiltrate the software supply chain.
Developers need knowledge, resources and support to keep their code secure, with as minimal impact on development schedules as possible.
Dedicated training, in close collaboration with their application security counterparts is one of the key ways to empower developer to achieve this balance.
Senior Product Marketing Manager at Checkmarx.
The growing risks in open-source development
One of the reasons for a greater focus on AppSec skills is the growing concern around unsecured third-party code.
Open source code has become an essential resource for development teams working to strict deadlines. Accessing ready-made building blocks for common application features saves a tremendous amount of time and resources, saving teams from reinventing the wheel for every new project and drastically reducing the SDLC.
GitHub’s most recent Octoverse report revealed that there were more than one billion contributions to open source projects in 2024 alone, and previously estimated that around 97% of all applications incorporate at least some open source code.
However, open source assets can also introduce unnecessary risk to an application. There’s always a chance that any third-party code may have vulnerabilities missed by its creator, and threat actors are escalating the risk further by purposefully injecting malicious code into the open source environment.
In October our researchers discovered that cybercriminals were targeting Python developers in the blockchain industry by uploading what appear to be useful tools for tasks like crypto wallet management and recovery. However, the packages harbored well-hidden malware obfuscated within the code.
The incident is just one of a growing number of cases where cybercriminals have exploited the inherent trust and reliance developers place on open source code repositories. While most reputable platforms make an effort to assess the safety of uploaded assets, the sheer volume of contributions and the potential for obfuscated code means the risk can never be ruled out.
Empowering developers with tailored training
Given that their most valuable resources are being exploited by cybercriminals, it’s more important than ever for developers to be security savvy. However, this has long been a challenge. One of the biggest barriers is that developers are creators and coders first and foremost and many developers will not have had the opportunity to gain real experience in AppSec.
So, the first step is to empower dev teams with structured training and proper resources if they are to take on AppSec effectively.
It’s vitally important that any training efforts are bespoke to their specific experience and needs. Generic programs often overwhelm developers with irrelevant information, making it difficult to apply lessons in practice. Tailored, role-specific training is far more effective, empowering developers to build secure code without disrupting their workflow.
One of the most effective ways of delivering this, is through Just-in-Time (JIT) training which provides actionable guidance precisely when developers encounter vulnerabilities, streamlining the remediation process. This approach aligns security with the fast pace of development, ensuring vulnerabilities are addressed efficiently. Organizations must focus on providing ways to be quick and efficient in security scanning alongside all of their development framework and methodology.
Gamified platforms can be particularly effective here, turning secure coding into an engaging skill-building exercise. These tools foster a sense of ownership, helping developers resolve vulnerabilities and understand their broader impact.
Training and development must provide real-time feedback with minimal impact on the development workflow.
Boosting collaboration with security mentorship
While tools and training are essential, mentorship programs can go even further in bridging gaps in knowledge and execution. This involves embedding security engineers within development teams to help provide guidance and hands-on training. This approach helps foster collaboration, establishing a shared responsibility for secure coding that addresses issues proactively and efficiently.
Mentorships not only ensure security becomes an integral part of the development process but can also remove the siloed “us and them” structure that is common between security and development.
Well-established mentorship programs build into the iterative process and that code is secure on release. This is especially useful for smaller organizations with more limited resources.
Getting started with security mentoring
For organizations that don’t already have a security mentor in place for their development team, a establishing a mentorship program can be fairly straight forward. The first step is to solicit volunteers who want to get involved. Mentors should have a genuine interest in building secure coding practices, rather than feeling like they’ve been forced into taking on more work.
Volunteers also benefit from gaining new skills and diversifying their role as a dev. Resources like Codebashing can provide a structured approach to AppSec skill development, along with other informational assets like webinars and events.
Thriving in a threat-filled landscape
With increasing internal pressure for faster and more efficient development cycles, development teams can often feel caught between a rock and a hard place.
To empower them to thrive in today’s fast-paced environment, organizations must support developers in integrating security into every stage of development. Tailored training and collaborative mentorship equip developers to address vulnerabilities efficiently without slowing down innovation.
We feature a list of the best mobile app development software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
