The rise of risk-aware developers (and how to create one)

Attackers and cyber criminals are lurking around the internet looking for the weakest prey.

They seem to have found one: developers.

Cyberattacks attempting to sneak into developers' systems have skyrocketed since 2018 (after the so-called “event-stream incident”) and this should be warning technical leaders. Developers are seen as low-hanging fruits and entry points to finished software, but with the ultimate goal to compromise the development pipeline that could potentially cost businesses a sizable amount of money.

And here’s the thing: dev teams know the importance of secure coding.They understand how a lack of security awareness leads to applications being built with vulnerabilities that make it easier for bad actors to breach the system and gain access to sensitive data. 

🤔 So, why is such a critical security ally still lacking fundamental security practices?

In summary, secure coding is not enough anymore. Most training providers focusing on this domain promote a reactive approach to coding and software development, providing standard rules that developers must apply in the early stages.

Our approach aims to foster a proactive approach to security. DevOps teams need to build in processes to secure the applications at the earliest stages of the Software Development Lifecycle (SDLC) and have enough competency in application security to do some basic tasks: not only identify vulnerabilities, but also assess, scan for errors, and avoid them to minimize risk on the organization’s system.

Software Development Lifecycle: what does it mean for business?

The Software Development Lifecycle (SDLC) is a structured process that encompasses the stages of planning, creating, testing, and deploying a software application, ensuring that it meets user requirements and functions as intended.

With today’s rapid development timelines and agile principles—hours and days instead of weeks and months—it is no longer an option for anyone along the Software Development Lifecycle to neglect security. 

Changes in the code are more frequent and businesses cannot really afford to run a penetration test every time something gets added to the code base: it is just not efficient, and that is the reason for developers to pick up vulnerabilities.

The main goal of integrating security into the SDLC is to identify bugs early in the development process instead of waiting until the post-release testing. This makes it harder and less profitable for attackers to break in. Code errors and weak security awareness can, in fact, bleed any part of the development process, from planning to maintenance.

All these potential risks can damage the entire organization. 

Flaws and vulnerabilities in the code not only end up costing money in case they are exploited by attackers, but a clunky software development lifecycle makes modern development teams inefficient, slower, and struggle to keep up with iteration plans. 

When issues are not identified until after the application is in production or has been released, security teams have a harder job. They have to work with the developers and source code reviewers on a fix, which can cause significant delays.

🔎 What’s missing, then, to prevent these threats and successfully help security and developer teams run as one?

Developers are focused on building a useful product—not breaking it. The best way to mitigate the risk of code vulnerabilities is to be fully aware of all that could go wrong in the software, including components and dependencies in the software supply chain. 

The following section will show how this mindset can be built by using content and features on the Hack The Box (HTB) product suite.


Teaching devs how to exploit

Developers may not be security experts, but that doesn’t mean they can’t learn the basics to ensure they are building bulletproof applications. 

Our methodology is built to empower secure coding practices with fundamental security principles such as risk assessment, threat modeling, security controls, incident response planning, and ongoing monitoring.

By shifting the focus to a risk mitigation mindset rather than specific attacks or commands, IT teams can embrace a holistic approach to code security by considering all aspects of an organization's systems, processes, and environment. It goes beyond just coding practices as it prepares developers to identify vulnerabilities and exploit them using white box and black box pentesting techniques.

In addition, organizations are often required to adopt a risk-based approach to cybersecurity and adhere to specific risk management practices (such as ISO 27001, NIST, GDPR) and demonstrate their commitment to managing cybersecurity risks effectively.

Managers and technical leaders now have the opportunity to introduce dev teams to security in some simple, outcome-based steps.

 

Assess current skills with a CTF event

Based on our exclusive Attack Readiness Report, more than 70% of managers view team events like CTFs as a viable way to raise employee engagement in regular assessments, while 72% agree that CTF events can help measure and upskill employees.

The HTB CTF Marketplace makes it easier than ever to organize and get started with an engaging, gamified team assessment. Specifically for developers, managers can quickly select from the Web Application Security packs (of different skill levels).

The variety of Challenges included in the Web Application Security packs will be presented with a variety of basic web application vulnerabilities, such as SQL injection, Cross-Site Scripting (XSS), and Command Injection—suitable for beginner-level users with little to no knowledge on the domain.

Hosting a CTF will empower developers to:

• Identify and exploit basic vulnerabilities in web applications.

• Analyze web application traffic to detect and prevent attacks.

• Understand the basics of web application security risks.

• Familiarize with web application source code and identify bugs.

Assign learning materials based on the outcome

HTB Academy provides a solid foundation for web application penetration testing, combining secure coding and additional supplementation in offensive security that developers can leverage.

The Senior Web Penetration Tester job-role path (leading to the HTB CWEE exam) provides technical competency in web security, secure coding, application debugging, source code review, and custom exploit development aspects of web security testing. Managers can also select specific, targeted courses for a more tailored skills development plan.

Developers working in large corporations or federal agencies must be aware of advanced persistent threats (APT) groups and the potential risks associated with them. The MITRE ATT&CK framework mapping on HTB Academy comes as a crucial feature to identify techniques used in the past to exploit vulnerabilities connected to insecure code.

Create and customize hands-on development plans

Web technologies can be easily targeted and exploited by attackers by injecting malicious code or scripts, enabling them to steal data, potentially hijack sessions, cookies, or perform other dangerous actions.

Dedicated Labs help developers understand—and act—when code can be weaponized. Using the enhanced content categorization available on HTB Enterprise Platform, dev teams can search for practical scenarios by:

• Learning objectives (Web Attacks, HTTP/s Attacks, Source Code Review, Web Application Injections, API Vulnerability Identification, etc.)

• Technologies (Apache, Jenkins, Git, Drupal, etc.)

• Languages (Python, PHP, JavaScript, etc.)

Vulnerabilities (SQL Injection, Weak Authentication, Remote Code Execution, Cross-Site Scripting, etc.)

Managers have the opportunity to create a dedicated space for their dev teams and add scenarios by selecting specific Machines or Challenges, or directly choose curated, pre-made collections focusing on OWASP’s top 10 vulnerabilities core learning outcomes for secure development practices.

Organizational reskilling by design

Could the next rising star of your cybersecurity team already be within your organization?

Reskilling initiatives are a core, established practice in learning and development but often not successful for a variety of reasons: unengaged employees, unattractive learning methods, or unclear career development plans.

By adopting the products available on the HTB business offering, technical leaders have the opportunity to close skill gaps and retain the best-performing employees offering an exciting future ahead. 

Successful organizations cannot solely rely on Security Champion Programs, anymore. The planning and delivery requires a high level of resources (time, people, and knowledge) that might not pay off the final outcome.

The HTB solution provides a new way to reskill by design and fully integrate security requirements with developer teams or other functions within the business. 

One of our enterprise clients—a multinational information technology company providing IT and telecommunication services to the air transport industry—achieved major improvements in various metrics across departments just within 18 months of adoption:

• Enhanced job roles and career paths for engineering teams

• Increase satisfaction, happiness, and retention among security-adjacent employees

• Directly tested vulnerabilities and bugs like Cross-Site Scripting (XSS) during CTFs

• General improvements in the Software Development Lifecycle in terms of speed and security requirements

• Increased security awareness in dev teams and more efficient iterations

The value of reskilling is also confirmed by our community: in our recent survey, 68% of security team members rated “opportunity to learn new skills” as the top factor for remaining in their current workplace.

Choose HTB to boost your cyber performance

Internet-facing and internal web applications are prime targets for infiltrating an organization's network in the EDR/XDR era, as internal networks and endpoints are heavily monitored by these systems. This makes it crucial for developers to be the first line of defense.

With the average cost of a breach reaching $4.45 million, unskilled teams pose a real risk to the security of your business. This is why cybersecurity performance programs and continuous improvement are no longer a nice-to-have, but a necessity.

Start now to implement your proactive security strategy!