Even though security has started to become a growing concern, the immense pressure to ship applications on time means that instead of being an integral part of the development process, for most teams it’s still an afterthought.
If there is one common constraint for both development and security teams, it’s time. They struggle to fulfill demanding tasks within strict deadlines, and reactive approaches do not offer much help.
In a conventional vulnerability management process, whenever vulnerabilities are discovered by automated security tools or manual reviews, security teams send them to development teams. As both of these teams can have different priorities and sizes, this process can easily lead to friction between the two.
Each vulnerability sent in this manner adds to the complexity of tasks, and leads to a waste of precious resources on fruitless tasks such as assigning and tracking issues, fixing vulnerabilities, verifying fixes, etc.
Developers generally face the same recurring issues. Pressured by time and deadlines, they focus on quick patches that often do not remove the root causes of security problems. It is tempting to apply security tools to prevent developers from making mistakes, but security tools can only scratch the surface and prevent the most obvious mistakes. Moreover, even if they are available most developers do not use the security features in common programming frameworks.
For developers to build a secure coding mindset and learn to recognize common security patterns, they need training. Systematization of problems and distribution of information amongst the teams is also crucial to prevent the same mistake from being committed by multiple developers. Training is a long-term investment, but always pays off. Companies that invest in training not only have higher employee retention, but they also establish trust among their employees that can make them more competitive in the long run.
In order to reduce the number of AppSec-related vulnerabilities, we need to get to the root of the problem: the code itself. So how can we help our developers write more secure code?
Oftentimes it is the same developers creating the same types of security vulnerabilities in the source code. With effective and efficient training programs, these recurring vulnerabilities can easily be prevented. And not only will there be fewer vulnerabilities, but also fewer vulnerability management tasks, freeing up more bandwidth for both security and development teams.
Time is scarce, so it is imperative that developers spend their time on relevant issues. They need language- and framework-specific training to remediate the problems as efficiently as possible.
That is exactly why we built the integration between Avatao and Kondukto. Kondukto, an AppSec Orchestration & Correlation tool, uses developer-level data to show the types of vulnerabilities introduced into the source code by each developer, while Avatao uses a proactive approach to train developers to prevent vulnerabilities in the first place.
When the two platforms are combined, the benefits are twofold. From an individual perspective, developers have access to secure coding courses based on the specific vulnerabilities in their code and can brush up on their secure coding skills. And from a broader perspective, security teams will have fewer recurring vulnerabilities, enabling them to spend more time on productive activities like threat modeling or security research.
Kondukto helps you identify the problem, and Avatao helps you
develop a solution.
In its current state, this integration brings visibility to the needs of each individual developer to assign the most relevant course.
In the long term, secure coding becomes a measurable KPI and custom-tailored training programs help reduce the organization’s number of recurring vulnerabilities, all of which leads to an improvement in the security awareness of development teams.
Even though the current integration requires manual effort to assign courses to developers, this process will be totally automated in the next phase. Pre-defined rules will be used to immediately assign courses to developers as soon as vulnerabilities are discovered by the automated tools Kondukto integrates with.