By Francis Ofungwu, Global Field CISO, GitLab

There is no question that there is a critical need to expand Asia Pacific’s cybersecurity talent pool to move the region’s security practices forward and counter the rising threat of cyberattacks. 
According to a recent study from ISC2, APAC saw the largest percentage increase in the cybersecurity workforce globally but at the same time, the region grappled with a 52.4% wider skills gap in 2022 - that’s a cyber workforce shortfall of 2.16 million people. 
 
While the overarching takeaway for organisations to retain and attract strong talent is a salient one, technology leaders would be remiss to overlook a crucial group in shoring up their cyber defences - enterprise developers who are increasingly being tasked with security responsibilities.
 
Shift left creates new security burden
The need to “shift security left” - an approach that moves testing to earlier in the software development lifecycle - in most cases means putting tools typically used by security professionals in the hands of software developers. The thinking is that, as a result of scanning applications for weaknesses earlier in the development process, development teams will be able to identify and fix software vulnerabilities before ever reaching production. Ideally, this will then relieve overburdened security teams from having to reactively deal with these vulnerabilities right before–or even after–release, freeing them up for more strategic, proactive security work.
 
While this is sound in theory, development teams that run the prescribed security tools may not have the knowledge or support to triage, prioritise and fix everything themselves. Therefore, the vulnerabilities ultimately continue to make their way downstream to security teams or accumulate as technical debt. Scanning and passing vulnerabilities downstream to overworked appsec teams isn’t really living up to the promises of shift left. It just shifts the problem left.
 
The Security Skills Gap
GitLab’s 2022 DevSecOps Survey found that 57% of survey respondents agreed that security is a performance metric for developers within their organisations. However, 56% said it was difficult to get developers to actually prioritise fixing code vulnerabilities.
 
The expectations placed on development teams when it comes to security are only increasing. But presenting security scan results without any guidance on how to interpret the findings, fix the identified problems, or explaining the potential impact can be frustrating for developers, who may choose to ignore the results in favour of delivering faster code, shifting the burden back to AppSec teams. 

In order for developers to deliver on the promise of shift left, they need real-time security education that helps them to identify and fix security vulnerabilities as they arise, proactively stop security issues from occurring, and communicate and assign security responsibilities within their teams. Organisations continue to hand enterprise developers additional security responsibilities without providing any support or education on how to respond to security alerts.

The reality is that most developers aren’t security experts. Even seasoned software engineers don’t have time to learn everything in the vast security universe. What they need is relevant information presented to them where and when they need to understand a specific security issue. That’s why it is likely critical that software development platforms meet engineers where they are and provide continuously updated, real-time, context-specific security training options. Integrated security training is likely the best way to ensure that developers are informed in real-time, without offloading the security work to already overloaded security teams.
 
These skills are rarely addressed in academic courses or coding bootcamps. Although most organisations require software developers to undergo annual security training, these workshops usually involve a slideshow presentation or generic video on software vulnerabilities and issues. This style of training may not lead to any meaningful understanding of the content within. Also, the time gap between learning and application of knowledge may reduce the potential for lasting engagement and retention.
 
Empowered Developers Drive Security
Unlike older generations of software developers, who learned primarily from books and academic courses, younger generations of developers are learning using online resources like blogs, videos, and bootcamps. In fact, a study from Stack Overflow found that nearly 60 percent of developers surveyed learned how to code from online resources. The platforms we use to develop software must evolve to meet this new style of learning.
 
Developers are under enough pressure to deliver code efficiently. Rather than bog them down with long, unwieldy training, small, bite-sized instructions that provide targeted, context-appropriate lessons for hands-on skills building may be most helpful. This may help lessen the time gap between learning the new skill and putting it into practice, potentially allowing developers to grow their muscle memory so that they’re able to identify security issues as they code, and potentially further reducing the number of common vulnerabilities that arise in the software development life cycle.
 
As more APAC organisations adopt a workflow path that empowers developers to resolve vulnerabilities faster and earlier in the process, over time, they will be positioned to deliver secure code at scale while being positioned to improve their release quality. Secure coding training within the DevOps workflow can automate and scale remediation support for developers and can allow application security teams to focus on proactively mitigating any security risks and strengthening the organisation’s security posture. That is the true potential of shifting security left.