news A “major Australian Big Four bank” has signed a $1 million, three-year deal with a startup called Secure Code Warrior to boost the secure coding skills of 4,000 of its software developers.
In a statement, Secure Code Warrior said the deal will see it supply “demonstrated innovative hands-on training exercises” aimed to teach the bank’s developers to both find vulnerabilities and to identify patches for the respective flaws.
Courses are designed around a “gamification” model, whereby points are awarded to participants for selecting correct answers. A “tournament mode” will also see developers compete for the title of “most secure coder”.
Coders will be put through a series of courses that will test their individual ability to write secure code. They will have to identify a series of vulnerabilities and, importantly, analyse multiple patch options in order to pass assessments.
This will teach developers to both find and patch vulnerabilities, skills that are normally separated into different spheres.
The bank’s return on investment can demonstrated through each developer’s skills progression that can be viewed within the security training portals, said the startup.
Developers taking the course can select their preferred language from Java Spring; Java Struts; Java Enterprise; C# .NET WebForms/MVC; Ruby on Rails; Android Java; Objective C, and Python Django.
The $1 million investment in secure coding by a major Australian FinTech firm may be a sign of a “broader push” towards secure developer training across the financial and tech industries, the startup said.
“Ensuring that application code is written more securely in the first place can significantly reduce the effort to identify and remediate vulnerabilities once applications have been deployed,” said Pieter Danhieux, Secure Code Warrior co-founder.
“Too often secure code training consists of classroom style sessions which do not scale, fail to engage developers though abstract concepts resulting in low knowledge retention rates, and lack the educational material to show how to remediate vulnerabilities,” Danhieux said.
Such failures in training are evident in the medals awarded each year by the Open Web Application Security Project (OWASP) to SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities under the Top 10 Web Application Security Risks project which highlights the world’s worst web coding flaws.
“These flaws are basic, yet as prevalent as they are perennial,” said Secure Code Warrior. “In the last year, SQLi was responsible for the mega breaches at Ashley-Madison, Mossack-Fonseca, and TalkTalk.”
Danhieux said both organisations and developers have a tendency to “focus on features and functions over security”.
“This can result in great functional apps built with code that has both glaring and subtle security holes”, he said.
Security teams are often isolated and “bolted on” to the development process, explained Danhieux.
“Security must move from a separate team into the developers themselves, especially when using Agile methodologies” he said. ”This is demonstrated by the DevSecOps movement which says that everyone in the development process is responsible for writing in security, not just an isolated team.”