Why Software Developers Need a Security ‘Rewards Program’
GUEST OPINION: Frequent flyer and other points-based programs reward people who remain loyal to particular brands or organisations.
The programs issue points to participants who can use them for discounts or purchases in the future. Some airline programs also reward loyal customers with perks such as priority boarding and lounge access.
It’s becoming clear that the software development industry could use something similar, especially when it comes to ensuring a ‘security first’ mindset among developers. Without such a system, it is difficult – if not impossible – for organisations and their developer teams to assess their security proficiency and compare their competencies with peers.
According to recent research, such assessments are needed now more than ever, as nearly two-thirds of developers report they find it challenging to write code free of vulnerabilities.
Skills recognition
To address these issues, many development teams are undergoing training and earning mandated certificates to boost their security skills and practices. However, these approaches – mainly when conducted in a piecemeal fashion – remain limited in terms of providing a comprehensive view of how participants’ proficiency progress aligns with organisational security objectives.
Whether teams opt for on-the-job collaborative training opportunities or interactive, agile learning sessions, they would substantially benefit from standardised developer benchmarking for success. Such benchmarking could lead to a ‘trust score’ that, much like rewards programs, would provide incentives to developers for their security achievements and offer clear pathways for improvement.
There are a number of criteria that organisations should focus on when coming up with impactful industry benchmarking and an informative, actionable trust score. They include:
- Skill proficiency: Leverage data to evaluate team members’ understanding of safe coding principles. Ask whether they are up-to-speed on the various languages and trends that affect the protection of products from vulnerabilities. Also check whether they are deploying the right tools and methodologies to support a proactive, ‘security-first’ culture.
- Industry frameworks: It is essential to gauge team members’ adherence to industry-respected security frameworks. This includes the OWASP Top 10 which helps developers stay updated on critical risks as well as secure–by-design principles which are a necessary step toward ensuring more consistent secure software development lifecycles.
- Continuous training and skills improvement: Organisations should consistently invest in learning opportunities to help teams continuously improve, along with metrics that measure members’ commitment to upskilling their capacity for protection.
- Team collaboration/efficiency/performance: Benchmarking and trust scores are necessary to establish a baseline for measuring the true impact and effectiveness of learning programs and the overall security posture of developer teams. Also, a benchmark provides an appropriate jumping-off point for deeper conversations and collaborations between development, engineering and security teams, helping to close potential security gaps and find solutions in the software supply chain.
- In-production performance measurement: To effectively gauge developers’ security capabilities, evaluations should extend beyond training and skill assessments to analyse their behaviour during code production. With these benchmarks in place, consider the following questions: How many mistakes are developers still making? Are they learning from their mistakes and fixing security bugs? Are they coaching peers to develop codes securely? Do they conduct peer review pull reviews for security flaws?
- Competitive analysis: This aspect will answer the overarching question of how one organisation compares to others in its industry. Determine whether certain trust scores are lagging competitors, indicating a need for immediate attention and training.
Establishing a baseline
Developer teams are under constant pressure to produce better code faster. As a result, they may view security as a barrier to innovation, leading them to take shortcuts or ignore vulnerabilities entirely.
To evaluate the current security culture and the mentorship provided to developers, it is important to assess not only whether they are coaching their peers but also the depth and effectiveness of their guidance and how it impacts their own security practices.
By establishing a baseline to verify developers’ secure coding skills and measurement, security teams will get a clear sense of how well they are producing secure code from the beginning. They will gain a greater appreciation for how ‘security-first’ contributes to more robust products and will even save time in the long haul since they wouldn’t have to ‘work backward’ late in the process to fix issues.
Also, they will recognise that benchmarking/trust score-driven continuous improvement makes them more capable and marketable on a professional level, leading to more intriguing job opportunities and promotions. The end result is a win for the organisation, developers, and software security.
WOMEN IN PROCESS MINING VIRTUAL EVENT
Enterprises are looking to integrate AI into process mining to future proof their operations.
The recently formed Australian chapter of Women in Process Mining (WIPM) is hosting a Zoom event from 1pm to 2pm on November 14 on the topic Using AI for Process Optimisation.
WIPM is a community designed for women in process mining; to strengthen their leadership, magnify their influence, and pave the way for process mining together.
The event is being hosted by Chapter Leads Kanika Goel, PhD, Claudia M., and Susana Zavaleta, with special guest speaker Jack Basley from global process mining leader Celonis
Register for the Zoom event now!
REGISTER!
PROMOTE YOUR WEBINAR ON ITWIRE
It’s all about Webinars.
Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
MORE INFO HERE!
link
