Financial services institutions face an array of challenges that hinge on their ability to make efficient, effective use of technology in a fast-evolving financial world.

Organizations are operating in a time of rapid changes—both internally and across the industry—in a highly competitive, cloud-based business environment. In pursuing their ongoing digital transformations, for example, organizations are working to get around the organizational friction that hinders investments into new technologies, such as artificial intelligence, that could accelerate payment processes and other procedures. 

However, there also needs to be more awareness about how this growth impacts the ability to maintain a secure coding environment.

In this guide on security trends for financial service companies, you’ll discover:

• How AI development tools are impacting the software development lifecycle.
• Why increased regulation matters to financial services and how it impacts your team.
• What agile learning can do for your team’s secure coding.
• How the growth of third-party apps will contribute to your security landscape.
• Why the enhanced focus on ROI across teams doesn’t have to worry you when it comes to training.

‍

PCI DSS 4.0 Unraveled: Seize the opportunity to nail security upskilling for developers

If you’re an AppSec or development manager, you have likely noticed by now that most developers aren’t thrilled at the prospect of compliance training. Even the word “compliance” has most people stifling a yawn. However, it is a vital exercise, and we need to do better to capture the hearts and minds of the development cohort.

Secure software development is no longer a “nice to have” in any company; it should be front-of-mind in every organization. And if that organization holds vast amounts of sensitive customer information, it is ripe for the picking when it comes to costly cyberattacks. Developers are the first to get hands-on with code, and as such, should be just as involved as the rest of the team in any security compliance measures.

This is an opportunity for the developers and AppSec professionals to band together to pursue a higher standard of code. Ever so slowly, the world is catching up to the fact that, to date, developers haven’t exactly had the right tools at their disposal to make security a priority (and siloed security specialists cannot shoulder the responsibility alone). However, as the industry moves towards an AI-augmented, DevSecOps future with security as a shared responsibility, they can build the skill set needed to help stem the flow of recurring vulnerabilities.

The 2025 deadline to comply with PCI DSS 4.0 is the industry’s biggest opportunity yet to elevate developers with the skills and tech stack required to impact software security positively from the ground up. These latest guidelines are the most operations-flexible to date, and the time is now to create a potent, custom security program that places developers in the driver’s seat of meaningful change.

Read the no-nonsense guide to getting your development team on board with PCI DSS compliance, including:

• What is required of the modern developer to achieve PCI DSS 4.0 compliance.
• How security professionals and development managers can work together to build formidable, developer-driven security programs.
• Step-by-step recommendations of the most potent, rewarding training initiatives to reduce vulnerabilities for good.

‍

Artificial intelligence engines are starting to populate everywhere, with each new model and version seemingly bringing forth more powerful and impressive capabilities that can be applied in a variety of fields. One area that has been suggested as a good possible use case for AI is writing code, and some models have already proven their abilities using a multitude of programming languages.

However, the premise that AI could take over the jobs of human software engineers is overstated. All of the top AI models operating today have demonstrated critical limitations when it comes to their advanced programming prowess, not the least of which is their tendency to introduce errors and vulnerabilities into the code they compile at cracking speed. 

While it’s true that the use of AI can help save some time for overworked programmers, the future will likely be one where humans and AI work together, with talented personnel entirely in charge of applying critical thinking and precision skills that ensure all code is as secure as possible. As such, the ability to write secure code, spot vulnerabilities, and establish that applications are as protected as possible long before they ever enter a production environment is vital.

In this new white paper from Secure Code Warrior, you will learn:

• The pitfalls of blind trust in LLM code output.
• Why security-skilled developers are key to safely “pair programming” with AI coding tools.
• The best strategies to upskill the development cohort in the age of AI-assisted programming.
• An interactive challenge to showcase AI limitations (and how you can navigate them).

‍

Agile learning platforms: ROI of developer-driven security

In a fast-evolving software landscape developers now bear the responsibility for secure-by-design products. In this joint report from Secure Code Warrior and Accenture, we explore the challenges around traditional security training and the opportunity costs of disrupting developer workflows. Enter an agile learning platform for secure code, which reduces vulnerabilities by half while enhancing productivity. 

In this whitepaper, our experts at Secure Code Warrior and Accenture unpack: 

• How to calculate the ROI of agile learning with factors like licensing, salaries, and remediation time. 
• Learn how Accenture integrates Secure Code Warrior, transforming secure code training and emphasizing the value of developer education.
• Secure Code Warrior users experience a 148% boost in developer productivity, reduced vulnerability counts, and accelerated release cycles, making proactive security financially viable.

‍

What is Devlympics?

Devlympics is an annual global tournament hosted by Secure Code Warrior on its agile learning platform to test the secure code skills of developers.

During the 24-hour tournament, developers from around the world competed in offensive and defensive coding challenges in their choice of programming languages. Developers had the opportunity to compete against their peers across a range of skills and duke it out to gain points and rise to the top of the leaderboard.

In this report, you’ll get an overview of the Devlympics 2023 results, as well as a deep dive into the strengths and opportunities highlighted by hundreds of developers across the challenges played. Plus, we’ve highlighted trends for each industry, language, and common CWEs (Common Weakness Enumerations) tackled by developers to help take your secure code learning to the next level.

What developers say about Devlympics and Secure Code Warrior

“Secure Code Warrior is a great platform to compete with other participants and improve your skills.”

“Secure Code Warrior takes an interactive, code-review like approach” 

“Secure Code Warrior is one of the best platforms that trains you through interesting competition.”

“Exciting, thrilling, and I loved it!” 

Developers love Secure Code Warrior

We surveyed over 200 participants after the event, and the numbers show that developers love the competition.

Developer engagement

Developer participation in Devlympics continues to grow year over year, with over 1000 developers playing in the 2023 tournament. Devlympics attracted attention from across the world, from security professionals and developers across multiple industries and programming disciplines. With double the engagement from last year, we are noting a trend in developers becoming more keen on learning how to code securely. By growing a community of security-skilled developers, Devlympics continues to highlight the value of developers as your first line of defense in protecting your code from vulnerabilities.

‍

Industries present at Devlympics

Secure code is important for all industries, but for some particular sectors, it is absolutely mission-critical. Industries like Banking & Financial Services and Technology held the top spots for the number of developers participating. This showcases the importance of these industries’ continued focus and emphasis on secure code.

‍

Languages played by industry

Different industries utilize a variety of programming languages - of which there were 6 different categories (Web, Mobile, Front-End, API, and Cloud, and Mashup) with over 30 different languages available. These were some of the languages we noted were trending for different industries.

‍

Can’t stop, won’t stop

Players in Devlympics spent on average almost 3 hours on the platform - resulting in a total of 4,152 hours of total gameplay.

Some developers at the very top of the leaderboard took it to the next level. The top 20 players with the most play time averaged 14 hours playing in the tournament. Now that’s dedication!

‍

Full stack developers

In Devlympics, 41% of developers played in at least 2 different languages, with almost a quarter playing in 3+ languages.

According to Stack Overflow, developers who commit production code in 2 or more languages are considered full stack developers.

Does your training program ensure developers are trained in all the technologies they commit code in? With over 63 different languages and frameworks offered, the Secure Code Warrior platform has got you covered.

‍

‍

Tech stack trends

Secure code is of prime importance in code that is publicly accessible.

Across all industries, developers played using Web or API languages.

Java Spring and Docker Basic took the top spots as the most played individual languages in the tournament.

‍

‍

‍

Community of security champions

The best of the best competed in this year’s Devlympics - the majority of whom are already Secure Code Warrior customers - and the results reflect this! Across all industries, Devlympics players performed much better than the industry benchmark Secure Code Warrior has noted for Assessments on its platform.

As we continue to build our community of dedicated developer security champions on the Secure Code Warrior platform, we expect these numbers to keep getting more promising every year!

Key vulnerabilities - Web & API

Developers who participated in Devlympics exhibited good skill levels in the OWASP Top 10 categories for Injection Flaws and Vulnerable Third-Party Components. We are optimistic that we will eventually see these vulnerabilities drop from the OWASP Top 10 lists over time.

Mass Assignment is still a major issue. Developer skill level was one of the lower for this particular vulnerability. Given the lack of automated tooling and testing in this space, this is a real cause of concern and should be closely monitored. More education in this space will also help alleviate pressure from security teams dealing with this particular vulnerability.

‍

‍

CWE top 25 most dangerous software weaknesses

Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list provides developers with an annual list of the most common and impactful software weaknesses today.

#1 CWE-787 Memory Corruption, #9 CWE-352 Cross-site Request Forgery, and #10 CWE-434 File Upload were lowest accuracy scores during Devlympics. 

Injection-related vulnerabilities such as #3 SWE-89 SQL Injection, #5 CWE-78 OS Command Injection, and #8 CWE-22 Path Traversal were some of the best-scoring CWEs during Devlympics. We expect these vulnerabilities to lower in the pecking order out of the industry lists like the CWE Top 25 or OWASP Top 10 as developers’ skills improve.

‍

Weakness in order

‍

Conclusion

The 2023 Devlympics demonstrates that developers around the world engage and learn while participating in the tournament. The impact will be felt beyond just the pride they feel from competing, but the real-world scenarios make it easy to retain their knowledge and go from practice to application.

Secure Code Warrior is the industry-leading secure code agile learning platform that empowers developers to build the skills they need to write secure code.

With Secure Code Warrior, you can run your own tournament like Devlympics for your development teams. Bring your team together for a fun, gamified competition where they will learn all about locating, identifying, and fixing software vulnerabilities.

‍

Join the growing community

Our vision is to inspire a global community of security-skilled developers to embrace a preventative, secure coding culture. Our focus is to strengthen security resilience by minimizing the occurrence of attacks, threats, and risks, so that you can drive change, innovate, and accelerate. We believe that coaching and mentoring is an integral part of joining our developer community!

Register for Devlympics 2024 and follow us on X to stay up to date on all announcements.

‍

‍

TL;DR

Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.

Situation 

Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction. 

Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in. 

Action

Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.

Mads emphasizes a relationship building approach,

“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”

According to Mads, it also boiled down to scaling out their security champions network,

“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.” 

The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management. 

It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through: 

• Risk Score Improvement
• Vulnerability Age Reduction in vulnerability backlog
• Resolution Time
• No closed vulnerabilities v. open vulnerabilities
• Number of issues per line of Sage written code (not third party)

For Mads,

"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."

Results

Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,

“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.” 

Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program. 

The results, according to Mads, is,

“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.” 

With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability. 

However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.

Key Takeaways

The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture. 

• Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so. 
• Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
• Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike. 

For developers looking to be security champions, she and her team also offered this advice: 

• Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you. 
• Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature. 

‍