Für Entwickler, die bei der Bekämpfung der Cyberkriminalität helfen wollen, besteht das Training aus zwei Teilen
A version of this article appeared in DevOps.com. It has been updated and syndicated here.
The playing field between the heroes and villains in cybersecurity is notoriously unfair. Sensitive data is the new gold, and attackers adapt quickly to circumvent defenses, exploiting security bugs large and small for potential paydirt.
The volume of code being produced is too great for security experts -- of increasing scarcity -- to contend with, and the rising cost of data breaches is proof that something has got to give. Fortunately, for the sake of our digital safety and the sanity of CISOs everywhere, the DevSecOps movement is helping to bring developers on the security journey from the beginning of the software development process. They are being recognized as the first line of defense against cyberattackers, with the power to eliminate common vulnerabilities at their fingertips.
However, their defensive capabilities are only as good as the training they receive, and that is yet another gauntlet for security teams to run. For many developers receiving training in secure coding on the job, their key challenge is staying awake during mind-numbing, hands-off activities that are neither effective, nor inspiring them to keep security front-of-mind. Soulless video courses aren’t getting us there, token annual ‘tick-the-box’ events are a waste of time, and nobody is winning against the potential malicious threat actor waiting to jump on a small window of opportunity.
At this stage in our industry, we have worked out that contextual, hands-on education that is delivered in relevant programming languages and frameworks, with challenges that mimic those a developer might come across in the real world, is a far more engaging approach.
This is phase one of a developer’s quest to help AppSec gurus slay common vulnerabilities, but phase two is where scenarios must get real for a supercharged, security-aware defensive force.
Scaffolded learning is critical in adult education
When it comes to extracurricular courses or on-the-job training, it is often overlooked that adults bring with them a certain level of experience and existing knowledge. Good training adds to this foundation, and is structured in a way that allows for deeper understanding and faster autonomy in the learning process.
Scaffolded education is a potent, positive method of learning that seeks to activate and enhance prior experience, while continuing to build new skills - in manageable chunks - that allow the tutee to tackle increasingly difficult tasks with more confidence. Typically, it is a methodology best served with healthy portions of demonstration, visual aids, and student-led exploration.
If we tie this approach back to developer security training, it comes as no surprise that the dynamic, learn-by-doing method has long been preferred over the drudgery that is theory-based static learning. They are free to be the masters of their domain, and should see that their time is well spent.
In that sense, learning to code securely in a hyper-relevant, contextual environment is key, but the ‘level up’ from this step is to see an exploit of vulnerable code in action. With the context of frontend and backend views side-by-side, there is a tangible link between actions taken during the coding process, and what an attacker can potentially do with cut corners, misconfigurations, or accidents that are not caught and remedied.
Move from recall to application for a truly preventative security approach
Experiencing the impact of security vulnerabilities first-hand is a vital piece of the education puzzle, and it’s a fairly rare beast, even with the most modern security training options for developers. The foundational work spent on honing skills in spotting and remediating vulnerabilities, and recalling that experience to eliminate the same bugs in code as it is being written is extremely important, but it’s not the whole picture. To see how vulnerable code is exploited by a malicious actor adds a powerful layer of context, one that really drives home the importance of securing code, and applying hard-earned security knowledge to close every window of opportunity.
It is generally accepted that developers don’t love security, and they have even less affection for security training. Their experiences with AppSec specialists can be very frosty, and the rework caused by the security team bouncing vulnerable code back to developers for remediation is the bane of their existence. To an engineering team that is already spread thin, security is someone else’s problem, not their priority, and a hindrance to their natural creativity and primary objective of building features. However, there is simply too much code, too many breaches, and too much risk to the world’s data for this mindset to continue.
A functional DevSecOps process has developers working in harmony with security teams right at the beginning of the SDLC, and the opportunity for applied learning where they can interact with a simulated exploit, and see the impact of poorly secured code goes a long way in getting developers on the same page as those pesky AppSec people (who aren’t so bad after all).
Interactive learning prepares developers for the boss fight
At the time of writing, there were two major breaches reported in a 7-day period: Razer announced that over 100,000 sensitive data records had been exposed, while office supplies chain Staples also reported a similar data leak. Over a billion sensitive records have been exposed so far in 2020, and this worrying trend shows no signs of slowing down. Simply put, malicious actors have the upper hand, and security-aware developers are sorely needed to serve as the front line of defense.
Interactive challenges that focus on simulating such breaches move developers from passive recall, to applying skills that have an impact on the real boss fight: stopping attackers in their tracks.
Die Wettbewerbsbedingungen zwischen Helden und Bösewichten in der Cybersicherheit sind bekanntermaßen unfair. Sensible Daten sind das neue Gold, und Angreifer passen sich schnell an, um Abwehrmaßnahmen zu umgehen, und nutzen große und kleine Sicherheitslücken für potenzielle Gehälter aus.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Eine Demo buchen
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in DevOps.com. It has been updated and syndicated here.
The playing field between the heroes and villains in cybersecurity is notoriously unfair. Sensitive data is the new gold, and attackers adapt quickly to circumvent defenses, exploiting security bugs large and small for potential paydirt.
The volume of code being produced is too great for security experts -- of increasing scarcity -- to contend with, and the rising cost of data breaches is proof that something has got to give. Fortunately, for the sake of our digital safety and the sanity of CISOs everywhere, the DevSecOps movement is helping to bring developers on the security journey from the beginning of the software development process. They are being recognized as the first line of defense against cyberattackers, with the power to eliminate common vulnerabilities at their fingertips.
However, their defensive capabilities are only as good as the training they receive, and that is yet another gauntlet for security teams to run. For many developers receiving training in secure coding on the job, their key challenge is staying awake during mind-numbing, hands-off activities that are neither effective, nor inspiring them to keep security front-of-mind. Soulless video courses aren’t getting us there, token annual ‘tick-the-box’ events are a waste of time, and nobody is winning against the potential malicious threat actor waiting to jump on a small window of opportunity.
At this stage in our industry, we have worked out that contextual, hands-on education that is delivered in relevant programming languages and frameworks, with challenges that mimic those a developer might come across in the real world, is a far more engaging approach.
This is phase one of a developer’s quest to help AppSec gurus slay common vulnerabilities, but phase two is where scenarios must get real for a supercharged, security-aware defensive force.
Scaffolded learning is critical in adult education
When it comes to extracurricular courses or on-the-job training, it is often overlooked that adults bring with them a certain level of experience and existing knowledge. Good training adds to this foundation, and is structured in a way that allows for deeper understanding and faster autonomy in the learning process.
Scaffolded education is a potent, positive method of learning that seeks to activate and enhance prior experience, while continuing to build new skills - in manageable chunks - that allow the tutee to tackle increasingly difficult tasks with more confidence. Typically, it is a methodology best served with healthy portions of demonstration, visual aids, and student-led exploration.
If we tie this approach back to developer security training, it comes as no surprise that the dynamic, learn-by-doing method has long been preferred over the drudgery that is theory-based static learning. They are free to be the masters of their domain, and should see that their time is well spent.
In that sense, learning to code securely in a hyper-relevant, contextual environment is key, but the ‘level up’ from this step is to see an exploit of vulnerable code in action. With the context of frontend and backend views side-by-side, there is a tangible link between actions taken during the coding process, and what an attacker can potentially do with cut corners, misconfigurations, or accidents that are not caught and remedied.
Move from recall to application for a truly preventative security approach
Experiencing the impact of security vulnerabilities first-hand is a vital piece of the education puzzle, and it’s a fairly rare beast, even with the most modern security training options for developers. The foundational work spent on honing skills in spotting and remediating vulnerabilities, and recalling that experience to eliminate the same bugs in code as it is being written is extremely important, but it’s not the whole picture. To see how vulnerable code is exploited by a malicious actor adds a powerful layer of context, one that really drives home the importance of securing code, and applying hard-earned security knowledge to close every window of opportunity.
It is generally accepted that developers don’t love security, and they have even less affection for security training. Their experiences with AppSec specialists can be very frosty, and the rework caused by the security team bouncing vulnerable code back to developers for remediation is the bane of their existence. To an engineering team that is already spread thin, security is someone else’s problem, not their priority, and a hindrance to their natural creativity and primary objective of building features. However, there is simply too much code, too many breaches, and too much risk to the world’s data for this mindset to continue.
A functional DevSecOps process has developers working in harmony with security teams right at the beginning of the SDLC, and the opportunity for applied learning where they can interact with a simulated exploit, and see the impact of poorly secured code goes a long way in getting developers on the same page as those pesky AppSec people (who aren’t so bad after all).
Interactive learning prepares developers for the boss fight
At the time of writing, there were two major breaches reported in a 7-day period: Razer announced that over 100,000 sensitive data records had been exposed, while office supplies chain Staples also reported a similar data leak. Over a billion sensitive records have been exposed so far in 2020, and this worrying trend shows no signs of slowing down. Simply put, malicious actors have the upper hand, and security-aware developers are sorely needed to serve as the front line of defense.
Interactive challenges that focus on simulating such breaches move developers from passive recall, to applying skills that have an impact on the real boss fight: stopping attackers in their tracks.
A version of this article appeared in DevOps.com. It has been updated and syndicated here.
The playing field between the heroes and villains in cybersecurity is notoriously unfair. Sensitive data is the new gold, and attackers adapt quickly to circumvent defenses, exploiting security bugs large and small for potential paydirt.
The volume of code being produced is too great for security experts -- of increasing scarcity -- to contend with, and the rising cost of data breaches is proof that something has got to give. Fortunately, for the sake of our digital safety and the sanity of CISOs everywhere, the DevSecOps movement is helping to bring developers on the security journey from the beginning of the software development process. They are being recognized as the first line of defense against cyberattackers, with the power to eliminate common vulnerabilities at their fingertips.
However, their defensive capabilities are only as good as the training they receive, and that is yet another gauntlet for security teams to run. For many developers receiving training in secure coding on the job, their key challenge is staying awake during mind-numbing, hands-off activities that are neither effective, nor inspiring them to keep security front-of-mind. Soulless video courses aren’t getting us there, token annual ‘tick-the-box’ events are a waste of time, and nobody is winning against the potential malicious threat actor waiting to jump on a small window of opportunity.
At this stage in our industry, we have worked out that contextual, hands-on education that is delivered in relevant programming languages and frameworks, with challenges that mimic those a developer might come across in the real world, is a far more engaging approach.
This is phase one of a developer’s quest to help AppSec gurus slay common vulnerabilities, but phase two is where scenarios must get real for a supercharged, security-aware defensive force.
Scaffolded learning is critical in adult education
When it comes to extracurricular courses or on-the-job training, it is often overlooked that adults bring with them a certain level of experience and existing knowledge. Good training adds to this foundation, and is structured in a way that allows for deeper understanding and faster autonomy in the learning process.
Scaffolded education is a potent, positive method of learning that seeks to activate and enhance prior experience, while continuing to build new skills - in manageable chunks - that allow the tutee to tackle increasingly difficult tasks with more confidence. Typically, it is a methodology best served with healthy portions of demonstration, visual aids, and student-led exploration.
If we tie this approach back to developer security training, it comes as no surprise that the dynamic, learn-by-doing method has long been preferred over the drudgery that is theory-based static learning. They are free to be the masters of their domain, and should see that their time is well spent.
In that sense, learning to code securely in a hyper-relevant, contextual environment is key, but the ‘level up’ from this step is to see an exploit of vulnerable code in action. With the context of frontend and backend views side-by-side, there is a tangible link between actions taken during the coding process, and what an attacker can potentially do with cut corners, misconfigurations, or accidents that are not caught and remedied.
Move from recall to application for a truly preventative security approach
Experiencing the impact of security vulnerabilities first-hand is a vital piece of the education puzzle, and it’s a fairly rare beast, even with the most modern security training options for developers. The foundational work spent on honing skills in spotting and remediating vulnerabilities, and recalling that experience to eliminate the same bugs in code as it is being written is extremely important, but it’s not the whole picture. To see how vulnerable code is exploited by a malicious actor adds a powerful layer of context, one that really drives home the importance of securing code, and applying hard-earned security knowledge to close every window of opportunity.
It is generally accepted that developers don’t love security, and they have even less affection for security training. Their experiences with AppSec specialists can be very frosty, and the rework caused by the security team bouncing vulnerable code back to developers for remediation is the bane of their existence. To an engineering team that is already spread thin, security is someone else’s problem, not their priority, and a hindrance to their natural creativity and primary objective of building features. However, there is simply too much code, too many breaches, and too much risk to the world’s data for this mindset to continue.
A functional DevSecOps process has developers working in harmony with security teams right at the beginning of the SDLC, and the opportunity for applied learning where they can interact with a simulated exploit, and see the impact of poorly secured code goes a long way in getting developers on the same page as those pesky AppSec people (who aren’t so bad after all).
Interactive learning prepares developers for the boss fight
At the time of writing, there were two major breaches reported in a 7-day period: Razer announced that over 100,000 sensitive data records had been exposed, while office supplies chain Staples also reported a similar data leak. Over a billion sensitive records have been exposed so far in 2020, and this worrying trend shows no signs of slowing down. Simply put, malicious actors have the upper hand, and security-aware developers are sorely needed to serve as the front line of defense.
Interactive challenges that focus on simulating such breaches move developers from passive recall, to applying skills that have an impact on the real boss fight: stopping attackers in their tracks.
Klicken Sie auf den Link unten und laden Sie das PDF dieser Ressource herunter.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Bericht ansehenEine Demo buchen
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in DevOps.com. It has been updated and syndicated here.
The playing field between the heroes and villains in cybersecurity is notoriously unfair. Sensitive data is the new gold, and attackers adapt quickly to circumvent defenses, exploiting security bugs large and small for potential paydirt.
The volume of code being produced is too great for security experts -- of increasing scarcity -- to contend with, and the rising cost of data breaches is proof that something has got to give. Fortunately, for the sake of our digital safety and the sanity of CISOs everywhere, the DevSecOps movement is helping to bring developers on the security journey from the beginning of the software development process. They are being recognized as the first line of defense against cyberattackers, with the power to eliminate common vulnerabilities at their fingertips.
However, their defensive capabilities are only as good as the training they receive, and that is yet another gauntlet for security teams to run. For many developers receiving training in secure coding on the job, their key challenge is staying awake during mind-numbing, hands-off activities that are neither effective, nor inspiring them to keep security front-of-mind. Soulless video courses aren’t getting us there, token annual ‘tick-the-box’ events are a waste of time, and nobody is winning against the potential malicious threat actor waiting to jump on a small window of opportunity.
At this stage in our industry, we have worked out that contextual, hands-on education that is delivered in relevant programming languages and frameworks, with challenges that mimic those a developer might come across in the real world, is a far more engaging approach.
This is phase one of a developer’s quest to help AppSec gurus slay common vulnerabilities, but phase two is where scenarios must get real for a supercharged, security-aware defensive force.
Scaffolded learning is critical in adult education
When it comes to extracurricular courses or on-the-job training, it is often overlooked that adults bring with them a certain level of experience and existing knowledge. Good training adds to this foundation, and is structured in a way that allows for deeper understanding and faster autonomy in the learning process.
Scaffolded education is a potent, positive method of learning that seeks to activate and enhance prior experience, while continuing to build new skills - in manageable chunks - that allow the tutee to tackle increasingly difficult tasks with more confidence. Typically, it is a methodology best served with healthy portions of demonstration, visual aids, and student-led exploration.
If we tie this approach back to developer security training, it comes as no surprise that the dynamic, learn-by-doing method has long been preferred over the drudgery that is theory-based static learning. They are free to be the masters of their domain, and should see that their time is well spent.
In that sense, learning to code securely in a hyper-relevant, contextual environment is key, but the ‘level up’ from this step is to see an exploit of vulnerable code in action. With the context of frontend and backend views side-by-side, there is a tangible link between actions taken during the coding process, and what an attacker can potentially do with cut corners, misconfigurations, or accidents that are not caught and remedied.
Move from recall to application for a truly preventative security approach
Experiencing the impact of security vulnerabilities first-hand is a vital piece of the education puzzle, and it’s a fairly rare beast, even with the most modern security training options for developers. The foundational work spent on honing skills in spotting and remediating vulnerabilities, and recalling that experience to eliminate the same bugs in code as it is being written is extremely important, but it’s not the whole picture. To see how vulnerable code is exploited by a malicious actor adds a powerful layer of context, one that really drives home the importance of securing code, and applying hard-earned security knowledge to close every window of opportunity.
It is generally accepted that developers don’t love security, and they have even less affection for security training. Their experiences with AppSec specialists can be very frosty, and the rework caused by the security team bouncing vulnerable code back to developers for remediation is the bane of their existence. To an engineering team that is already spread thin, security is someone else’s problem, not their priority, and a hindrance to their natural creativity and primary objective of building features. However, there is simply too much code, too many breaches, and too much risk to the world’s data for this mindset to continue.
A functional DevSecOps process has developers working in harmony with security teams right at the beginning of the SDLC, and the opportunity for applied learning where they can interact with a simulated exploit, and see the impact of poorly secured code goes a long way in getting developers on the same page as those pesky AppSec people (who aren’t so bad after all).
Interactive learning prepares developers for the boss fight
At the time of writing, there were two major breaches reported in a 7-day period: Razer announced that over 100,000 sensitive data records had been exposed, while office supplies chain Staples also reported a similar data leak. Over a billion sensitive records have been exposed so far in 2020, and this worrying trend shows no signs of slowing down. Simply put, malicious actors have the upper hand, and security-aware developers are sorely needed to serve as the front line of defense.
Interactive challenges that focus on simulating such breaches move developers from passive recall, to applying skills that have an impact on the real boss fight: stopping attackers in their tracks.
Inhaltsverzeichniss
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Eine Demo buchenHerunterladenRessourcen für den Einstieg
Themen und Inhalte der Securecode-Schulung
Unsere branchenführenden Inhalte werden ständig weiterentwickelt, um der sich ständig ändernden Softwareentwicklungslandschaft unter Berücksichtigung Ihrer Rolle gerecht zu werden. Themen, die alles von KI bis XQuery Injection abdecken und für eine Vielzahl von Rollen angeboten werden, von Architekten und Ingenieuren bis hin zu Produktmanagern und QA. Verschaffen Sie sich einen kleinen Einblick in das Angebot unseres Inhaltskatalogs nach Themen und Rollen.
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
Ressourcen für den Einstieg
Cybermon is back: Beat the Boss KI-Missionen jetzt auf Abruf verfügbar
Cybermon 2025 Beat the Boss ist jetzt das ganze Jahr über in SCW verfügbar. Setzt fortschrittliche KI/LLM-Sicherheitsanforderungen ein, um die sichere KI-Entwicklung in einem großen Maßstab zu stärken.
Cyber-Resilienz-Gesetz erklärt: Was das für die Entwicklung von Secure by Design-Software bedeutet
Erfahren Sie, was der EU Cyber Resilience Act (CRA) verlangt, für wen er gilt und wie sich Entwicklungsteams mit sicheren Methoden, der Vorbeugung von Sicherheitslücken und dem Aufbau von Fähigkeiten für Entwickler darauf vorbereiten können.
