A new mentality is needed among developers to curtail the growing cyber security threat.
That is the view of Owen Pendlebury, penetration testing lead for Deloitte in Ireland who is also on the global board of directors at the non-profit OWASP Foundation.
“To most programmers, the focus is on writing code that functions, regardless if it’s secure or not,” he said. “This is the wrong mentality to have in today’s market where the code you wrote yesterday is probably already vulnerable today.
“Our focus on training professionals is increasingly important as most developers come straight into the industry from college – often with bad habits instilled already.”
Pendlebury says that high-profile cases such as the WannaCry ransomware attack, which affected organisations around the world include the NHS, can help improve cyber security awareness at boardroom level.
Just this week news of a breach at popular ticketing platform Ticketmaster made headlines around the world.
He told BusinessCloud: “Security is getting to the board level now, which is very, very important,” he said. “More and more people are becoming aware of the issues which have been around for years but never really got that much press.
“Now that they’re getting the press… companies are investing more and more money into cyber security.”
It is not as simple as training up your staff to be aware of how the latest software may be compromised and methods adopted by black-hat hackers, he says.
And while it is important for developers to adopt a security-first mindset, it also helps for cyber security experts to have a background in programming.
“Cyber security is a mindset. It has so many different fields and avenues: from the higher-level policies and procedures to the more technical hacking areas,” he said.
“At Deloitte I generally hire [cyber security] people who are ex-developers because their way of thinking is what I need from an ethical hacker’s point of view and they’re able to solve complex problems and think outside of the box.
“A lot of organisations focus on training their personnel on the ground who are actually performing the work. You can spend a lot of money training devs, but if there aren’t proper policy procedures guiding new developers into maintaining the same standard then organisations generally fail.”
That is where the projects of OWASP – Open Web Application Security Project – come in.
Comprising corporations, educational organisations and individuals from around the world, it provides open-source material to help all organisations improve their security.
It holds two application security conferences each year aimed at developers, pen-testers and CISOs; one in the United States and the other in Europe. This year’s five-day OWASP AppSec Europe conference begins on Monday at the Queen Elizabeth II Conference Centre in London.
There is a pre-conference training programme for three days before the main conference on Thursday and Friday. The three main tracks are developer, hacker and DevOps.
“Our projects, including our code review guide and testing guide, are all written and created by volunteers and aimed at helping organisations to improve their security posture,” he said.
“A lot of organisations all over the world use OWASP as a reference point for pretty much anything that they’re looking to do.
“It’s really cool from our perspective because it shows that we’re making a difference.”
A variety of experts will tackle the burning issues in security at two other conferences in Manchester and London in early July.
Award-winning security blogger Graham Cluley has been confirmed as a speaker for both events with other industry experts also confirmed.