Data breaches are an uncomfortable reality - one in which Yahoo was notably on the receiving end in 2016. Data spillages from malicious hacking can be incredibly destructive, releasing sensitive information into the public domain, creating monumental commercial losses, as well as the continued threat of further exploitation. The attack on a company the size of Yahoo underlines one thing when it comes to information security - no organisation is safe.
But let’s forget about tech giants like Yahoo for a minute. It’s not only major corporations that are under threat. Your baby monitor might not be. Even your light bulb may be prone to hacking. This might be starting to sound like the plot of a bad horror movie, but the constant expansion of the IoT market means the concern around the security of everyday objects is very real.
Yes, the IoT is exciting, but this enthusiasm can be one of the pitfalls. Developers are in danger of letting ‘excitement’ come first, and security second. But as long as you can access Facebook on your microwave, who cares, right? The majority of users would care if they understood the risks, but the reality is, your everyday tech-obsessed user isn’t thinking about the possibility of someone hacking into their microwave.
As an industry, are we doing enough to train developers to create secure solutions that help to prevent these risks from appearing in the first place?
At the beginning of 2016, TEK Systems revealed the results of their IoT survey. In it, they asked IT and business leaders about their plans for the implementation of IoT initiatives. ‘Increased exposure of data/information security’ was viewed as the top risk and challenge in implementing IoT initiatives, with 50 per cent of companies surveyed citing it. Interestingly, the number one skill set companies were struggling to find was ‘information security’, with 45 per cent of those surveyed citing it as a challenge to their IoT initiatives. Packt’s Skill Up survey indicates that software professionals are well aware of the value of IoT, highlighting an awareness of management needs, but the question about security nevertheless remains.
The root of the problem begins at the top. Business leaders might recognise the importance of security, but how that plays out against business pressures is another matter. On the one hand, training is a major expense and time-consuming process for companies, with more immediate and visible ROI coming from the development of new products. It goes back to that idea of excitement getting in the way. Rather than take time to train employees, many companies rush to push forward with the next innovative product.
“A developer’s job is to develop. Isn’t that what they should be doing all the time?” That appears to be the attitude of many organisations, particularly where there’s a lack of technological understanding between senior management and development team. When it comes to security, many companies seem to think up to date firewalls and detection tools are enough.
Frankly, it’s not enough. There’s a strong argument for a much greater focus on security. That means a change in mindset about what developers should be delivering day to day, with more awareness on the importance of testing and quality assurance, as well as further investment in their team’s skills.
Integrating security and development
What should management be doing? First, they need to identify what security should look like for their product or service. This can be done by actually talking to software experts in their team, rather than making decisions without them. Secondly, they’ll need to identify their current team’s existing security knowledge. This might be done through discussion, using the knowledge of their team in a productive way that informs strategy and planning. But it can also be done through a form of skill diagnostics.
More specifically, this can be done through a task that replicates the challenges developers might face day to day. The results of using a system like this can then inform next steps – what specific elements does this developer need to learn, and when and how are they going to learn?
It’s all too easy to recognise the gaps in a developer’s security knowledge, and then get caught up in a project and not complete the training process. The best online assessment systems should not only recognise the knowledge gaps, but also recommend reading and courses which will fill the gaps. Managers need to take responsibility for ensuring their employees have time to undertake this training. It’s unlikely they’ll have an incentive to complete it in their own time, so management should be creating time for employees to dedicate to training.
Once those skill gaps have been recognised and remedied, all is fine, right?
Wrong. The tech industry, particularly when it comes to IoT, is constantly evolving. Regularly assessing developers on all elements of their role, not just security, is essential if you want to stay one step ahead.
Cybercriminals are often one step ahead when it comes to exploiting software vulnerabilities. That’s why security skills are so valuable – they give organisations a chance to keep up with malicious innovations that threaten our software. Security breaches will, without a doubt, always be an issue for our industry. By empowering developers to learn the skills they need to build software that’s secure, we can be more confident in the products and services we deliver, now and in the future.
Oli Huggins is Platform Product Manager at Packt
Image Credit: Chesky / Shutterstock