Contrast Security announced its integration with Secure Code Warrior to provide contextual just-in-time security micro-learning modules to enhance developer skills to easily patch vulnerabilities without the need for a security team.
Contrast’s innovative security trace format identifies exactly where a vulnerability appears in the code and provides a snapshot of the line of code. The integration then provides just-in-time “how-to-fix” help via micro-videos and interactive contextual courses specific to the code being patched or vulnerabilities found by the Contrast application security platform.
Over the past year, companies have accelerated their digital transformation efforts, which in turn has increased demand for new software applications in virtually every industry. It has also placed an immeasurable burden on developers to do more and do it faster, which has created significant application security challenges even for modern software development teams. A recent study found that 79% of developers are under pressure to shorten release cycles and validate code faster. Yet at the same time, 85% of developers admit that their average application has an average of 10 or more vulnerabilities.
Given these challenges, it’s no surprise that 77% of developers expressed a desire to receive more training in application security and potentially take on more responsibility in this area. However, legacy Application Security Testing (AST) solutions offer limited guidance to developers on how to remediate vulnerabilities or how deep to provide “line of code” level instructions.
Adding more application security personnel is not the solution. Beyond the cost of hiring more application security specialists, 75% of organizations say it’s even difficult to find those with the right specialist skills they need. If organizations are to write and publish code with fewer vulnerabilities, they should allow their developers to do so.
Recognizing that traditional models of security training simply don’t scale and provide developers with the just-in-time training required by the modern software development lifecycle (SDLC), Contrast and Secure Code Warrior have teamed up for a just-in-time approach that allows developers to develop secure coding skills while they write and publish code.
Secure Code Warrior’s Contextual Micro-Learning Modules are integrated with the Contrast Application Security Platform to provide hands-on, accessible, language-specific and framework-specific training. This provides developers with the right kind of skills and knowledge needed to be successful in their day-to-day work. As part of this process, video training is incorporated into the “How to Fix” sections on the Contrast UI and IDE plugins and through the Secure Code Warrior Jira plugin.
“Developers care about security, but struggle with old training approaches failing to deliver the relevant contextual advice they need,” said Nikesh Shah, senior director of strategic alliances at Contrast Security. “We need developers to be security aware, not security experts, and education and automation are the foundation of the DevSecOps transformation. Just-in-time training within the Contrast platform is immensely more effective – and efficient – than traditional in-class security training which is theoretical rather than practical. The integration between Secure Code Warrior and Contrast allows developers to learn and develop secure coding practices that significantly reduce the number of vulnerabilities introduced in new code. This improves the productivity of developers who are under increasing time constraints while significantly reducing application risks.
DevSecOps requires ongoing training in security, security by design, and security automation. By enabling a culture of security awareness, developers remain agile and a higher and more secure standard of software security is possible. Specifically, when security training is engaging and delivered in the languages and frameworks actually used, it is a powerful learning experience. Contrast and Secure Code Warrior aim to empower developers to improve their security knowledge and skills while leaving boring assessments and training to tick behind.
“We will never have enough application security specialists to handle the amount of code produced. It’s time to stop trying to win an impossible game, ”said Stephen Allor, Global Partner Manager at Secure Code Warrior. “Integration with Contrast provides the right tools, just-in-time learning, and support to deliver a people-centered approach that changes culture and behavior to make safety an integral part of an organization’s DNA. The partnership allows developers to acquire practical skills and learn by doing.