Every week it is a hit: a major company that is the victim of a cyber-attack. Such attacks cause great economic damage and are often preventable. After all, there is always human error behind it. Sometimes a successful attack is the result of social engineering (for example, a well-written phishing email) and sometimes it is a result of vulnerabilities found in software.

Those vulnerabilities in software don’t get there naturally. They are the result of a developer who made one or more mistakes while designing and building the software in question. We can’t even blame developers for that. During their education and training, the main focus is on developing software that is well put together in terms of ease of use and architecture. Also, the average software engineering student will gain more than enough knowledge with the processes surrounding development itself (such as Agile working, requirements gathering, etc). All important items to develop good software but there is still considerable room for improvement when it comes to teaching students to build secure software.

The hacker mindset

So how can we as a software company ensure that our developers are building software that is secure? After all, you can never give guarantees. We may be Rock stars but we are still human beings! By introducing our developers to the techniques hackers use against the software they build, they can learn to better protect their software from these attacks.

Under the guidance of an experienced instructor, some 20 of our developers were introduced to this a few weeks ago. In the challenges they were given, their ability to read code and look at it critically was put to the test. Using the source code of a small (specially developed) application, they could try to compromise it. Something hackers do every day with the software they develop. In it, it quickly became clear to the participants how easy it can be to make software do unintended things.

SAFER DEVELOPERS

Three hours of evening fiddling with insecure software significantly raised the level of cybersecurity awareness among participants. That the topic continued to play out after that soon became clear: During the next drinks, a laptop with one of the optional “homework assignments” quickly surfaced to discuss the solution with fellow Rockstars. Even among the Rockstars who had not participated in the training, the Hacker-Mindset training was the talk of the evening!

Key learning points

User input doesn't always have to be what you expect.

If you expect a string, enforce it.

frontend security is not security.

Frontend security is not security.

Be able to read and understand code

Exactly what happens benefits the security of your application, regardless of the programming language used.
Raymond Jetten

Sparring with raymond about security?