A new mentality is needed among developers to curtail the growing cyber security threat.
That is the view of Owen Pendlebury, penetration testing lead for Deloitte in Ireland who is also on the global board of directors at the non-profit OWASP Foundation.
鈥淭o most programmers, the focus is on writing code that functions, regardless if it鈥檚 secure or not,鈥 he said. 鈥淭his is the wrong mentality to have in today鈥檚 market where the code you wrote yesterday is probably already vulnerable today.
鈥淥ur focus on training professionals is increasingly important as most developers come straight into the industry from college 鈥 often with bad habits instilled already.鈥
Pendlebury says that high-profile cases such as the WannaCry ransomware attack, which affected organisations around the world include the NHS, can help improve cyber security awareness at boardroom level.
Just this week news of a breach at popular ticketing platform Ticketmaster made headlines around the world.
He told 老九品茶Cloud: 鈥淪ecurity is getting to the board level now, which is very, very important,鈥 he said. 鈥淢ore and more people are becoming aware of the issues which have been around for years but never really got that much press.
鈥淣ow that they鈥檙e getting the press… companies are investing more and more money into cyber security.鈥
It is not as simple as training up your staff to be aware of how the latest software may be compromised and methods adopted by black-hat hackers, he says.
And while it is important for developers to adopt a security-first mindset, it also helps for cyber security experts to have a background in programming.
鈥淐yber security is a mindset. It has so many different fields and avenues: from the higher-level policies and procedures to the more technical hacking areas,鈥 he said.
鈥淎t Deloitte I generally hire [cyber security] people who are ex-developers because their way of thinking is what I need from an ethical hacker鈥檚 point of view and they鈥檙e able to solve complex problems and think outside of the box.
鈥淎 lot of organisations focus on training their personnel on the ground who are actually performing the work. You can spend a lot of money training devs, but if there aren’t proper policy procedures guiding new developers into maintaining the same standard then organisations generally fail.鈥
That is where the projects of OWASP 鈥 Open Web Application Security Project 鈥 come in.
Comprising corporations, educational organisations and individuals from around the world, it provides open-source material to help all organisations improve their security.
It holds two application security conferences each year aimed at developers, pen-testers and CISOs; one in the United States and the other in Europe. This year鈥檚 five-day .
There is a pre-conference training programme for three days before the main conference on Thursday and Friday. The three main tracks are developer, hacker and DevOps.
鈥淥ur projects, including our code review guide and testing guide, are all written and created by volunteers and aimed at helping organisations to improve their security posture,鈥 he said.
鈥淎 lot of organisations all over the world use OWASP as a reference point for pretty much anything that they’re looking to do.
鈥淚t’s really cool from our perspective because it shows that we’re making a difference.鈥
A variety of experts will tackle the burning issues in security at two other聽conferences in Manchester and London in early July.
Award-winning security blogger Graham Cluley has been confirmed as a speaker for both events with other industry experts also confirmed.