Beyond having dedicated experts, it is equally important to improve the practical security skills of all developers.
According to a recent study, the global demand for cybersecurity professionals will create more than one million unfilled cybersecurity positions by 2019, with one of the most desired skills being secure software development. No wonder, that entrepreneurs and companies are having increasingly hard time finding the security talent they need to build reliable services and keep the data of their users safe.
One way to bridge the skills gap and create more secure products is to train and hire more engineers specialized in cybersecurity. However, it is equally important to improve the cryptography and security skills of all developers working in your company, beyond those sitting in dedicated cybersecurity teams. Here are some thoughts on the reasons.
1. New apps generate more data and more risks.
The rise of medical, fitness and fintech apps along with the increasing number of connected devices produce loads of sensitive data about us. We’re trusting these apps with our healthcare records, banking information, and even the locations we visit the most. If companies creating these services lack security talent and a strategy for secure development, there’s a high risk that all of that information could be exposed to cyber security threats. For any company dealing with user data, global growth is not possible without taking security serious in all stages of the development.
2. Companies need security by design.
No matter how robust your password hashing algorithms are, if your database security is weak, your users’ data is at risk. Companies need to develop software with security in mind from day one in order to build secure systems and minimize vulnerabilities. You can construct the strongest castle out there, if you leave the gates weak, you will still lose the battle.
3. Make educated decisions on trade-offs.
It’s not always easy to create both secure and user-friendly solutions. Making sure your level of security is top-notch might increase development time for a feature that is not really visible for end-users and in some cases it might affect the performance of your software as well. With that in mind, developers make important decisions on “what’s secure enough” for their use case. To find the right balance of security and usability or performance, they need to have practical knowledge of cryptography.
4. Integrating crypto components helps.
Security challenges are frequently solved by integrating third-party components and SDKs. Even though they take most of the crypto off programmers’ shoulders, choosing and integrating them properly on all platforms and in a scalable way requires actionable knowledge on security. Also, integrating tools require regular maintenance and updates: not only do you have to find the right components, but you also have to make sure they work together properly.
For a number of tasks related to writing secure code and minimizing vulnerabilities, application developers, front-end, back-end and dev ops teams need an actionable set of cryptography and cybersecurity skills. We’re not talking about an in-depth understanding of the theoretical background, which is absolutely a must for your cryptography engineers, but a solid understanding of the main rules, best practices, do’s and don’ts.
Building this talent in your company starts at finding the right people who are willing to learn and continues with encouraging all developers to exchange knowledge with your security engineers inside the organization as well as providing training opportunities to all.