Australian banks are leading the charge globally to develop a strong security mindset among their software developers, according to Pieter Danhieux, a secure software evangelist and co-founder of Australian start-up Secure Code Warrior.
He said that five out of Australia’s top six banks were actively engaging their developers to build secure coding skills through Secure Code Warrior’s online, self-paced, gamified learning environment, as well as reviewing real-time metrics and reporting to verify the strengths and weaknesses of their developers and teams. The first contract was $A1 million with one major bank in August 2016, followed by contracts with four more since then.
“Traditional banks have come under strong pressure from non-traditional competitors to accelerate their speed-to-market, enhance quality and increase flexibility. This has led them to adopt more agile development frameworks which focus on rapid development of features and functions at the expense of security,” said Danhieux.
“The average cost of a data breach now stands at $US3.6 million, and the odds of a company being impacted are as high as one in four. Most of the world’s major security breaches can be traced to coding errors which allows hackers to gain more privileges on computer networks, giving them access to harvest critical data.”
He cited breaches in recent years including Qatar National Bank, VTech, Mossack-Fonseca (Panama Papers), and TalkTalk where hackers took advantage of poor software security practices.
Danhieux is a long-time ethical hacker, Principal Instructor for the SANS Institute and AISA’s 2016 Cyber Security Professional of the Year, strongly supports Agile Development methodologies that integrate security from the start, practices employed by many tech companies and an increasing number of financial services institutions.
“The shift to Agile Development has some great speed benefits for companies and customers, but it has created significant new challenges with respect to preventing security vulnerabilities. Every developer now needs security built into their DNA, maintaining speed but reducing security bugs which are typically expensive to fix.”
Secure Code Warrior was founded in Sydney and London in 2015 when Danhieux, his business partner John Fitzgerald and three other Aussie cybersecurity professionals decided they wanted to help software developers embrace security as a core responsibility of their job.
“Current application security tools focus on moving from right to left in the Software Development Life Cycle (SDLC), an approach that supports detection and reaction – detect the vulnerabilities in the written code and react to fix them. We focus on the extreme left of the SDLC, making the developer the first line of defence in their organisation and helping to prevent vulnerabilities from happening in the first place,” said Danhieux.
Craig Davies, CEO of the Australian Cyber Security Growth Network (AustCyber) predicts that this type of hands-on evidence based training will become a fundamental activity for organisations developing applications.
“Companies who code securely from the start will not only significantly reduce their risk but strip out huge costs and delays with their product innovation,” he said.
Danhieux said he has been impressed with the Australian banks, who recognised that the risk was real and have been quick to reduce their exposure.
“The pace of new customers onboarding Secure Code Warrior around the world makes it clear that financial service institutions everywhere are recognising the importance of building security excellence into every line of code, and that Secure Code Warrior is an easy solution to address the challenge rapidly and sustainably.”