A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. Standard cybersecurity awareness training won\u2019t be effective with developers, experts say. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.The risks of insecure software were laid bare in early 2021 by the Sunburst supply chain attack in which threat actors infiltrated a commercial software application made by SolarWinds to target a wide range of organizations, individuals, and government agencies. The attack was not only complex and difficult to detect, but also wide reaching, impacting tens of thousands of victims. Furthermore, it served as a prompt to cybercriminals of the vulnerabilities surrounding software supply chains and the potential benefits of specifically targeting development lifecycles, including developers themselves.Organizations fail to address software development cyber threatsSeveral months on from the SolarWinds attack, a new report from Osterman Research suggests that organizations have yet to address the underlying people-related security issues that can lead to such software supply chain compromises. Imperfect People, Vulnerable Applications outlines the human elements contributing to cyber risk in the software development lifecycle (SDLC) based on responses from 260 people in application development and security roles across the US and UK. It reveals that 45% of development teams feel their understanding of the latest application attacks is lacking, with the vast majority (81%) admitting to knowingly pushing vulnerable code live. What\u2019s more, just 27% of front-line development professionals consider application security their responsibility, despite 80% of their senior managers believing it is.The findings are no more positive from the perspective of cybersecurity professionals. Only half of CISOs (50%) have confidence that secure applications can be developed, while 45% of security workers believe developers do not understand the latest threats to application security. In fact, 56% of security teams believe their company would not be able to withstand a SolarWinds-style attack on their software build environment.Insufficient cybersecurity training exacerbates software supply chain risksThis lack of alignment and understanding is exacerbated by outdated, insufficient, and irregular cybersecurity information sharing, education, and training for developers, the report deduced. The legacy, classroom-based approaches don't engage developers or impart the knowledge required to match the fast-paced threat landscape and dynamic technology fundamentals of the SDLC.Security awareness training has, for a long-time, failed software developers, concurs Tiffany Ricks, CEO and founder of US-based automated security and awareness training provider HacWare. \u201cThe tricky thing about security training for developers is it has to be relevant content, at the right time, to promote innovation.\u201dAnother sticking point is that so many new developers are from various educational backgrounds, Ricks adds. \u201cThey do not understand how to get started with secure coding and they need coaching.\u201d Osterman\u2019s report discovered that half of new employees joining an organization are not provided with effective training on application security, while only 45% of front-line developers are given the necessary time to learn how to create secure applications. \u201cContinuous and targeted security awareness training is therefore essential for software developers,\u201d she argues.So, how should organizations and their security functions approach such tailored security awareness raising efforts for developers?Recognize that developers are a target for cyberattacksFor HD Moore, co-founder and CEO of Rumble Network Discovery, and founder of the Metasploit Project, a good place to start is recognizing that developers themselves are at growing risk of targeted attacks. \u201cSecurity training for development teams is often focused on code safety and doesn\u2019t touch on compromised dependencies or the possibility of personal accounts being targeted,\u201d he tells CSO. \u201cDevelopers not only write code for a living, they run it, too, and that puts them at increasing risk of targeted attacks. In terms of attack surface, development teams are exposed to a huge number of third-party resources and services, and existing security training programs rarely take this into account. For example, a malicious pull request [on GitHub] for an open-source project may be a quick way to steal credentials from the project developers, especially if well-disguised with other changes.\u201d Moore notes that it\u2019s difficult to spot vulnerabilities intentionally introduced through compromised or look-alike dependencies during a casual review.Organizations should therefore improve their security awareness programs to account for targeted attacks against personal accounts, malicious and compromised dependencies, and phishing attacks in general, says Moore. \u201cSecurity programs that monitor unusual use of developer credentials have a leg up in terms of responding to successful attacks.\u201dAddress highest risk software supply chain threatsPlace focus on providing early and regular intelligence on the software supply chain risks that are most likely to cause significant damage to the business, such as malicious third-party software updates and compromised open-source code, says Mark Orlando, SANS instructor and co-founder and CEO of Bionic Cyber.\u201cThe ubiquity of these programs and packages makes them attractive targets as they enable an attacker to bypass most security controls,\u201d says Orlando. \u201cCompromises can also be difficult to remediate once these compromised components have been included in an internal system.\u201d He cites the Codecov, SolarWinds compromises, and malicious libraries uploaded on the Python Package Index in 2018 as examples of malicious updates that you should expect to continue in the future.Build security controls and monitoring into development processesSecurity teams should work together with development teams to build security controls and monitoring into the development process, as opposed to attempting to bolt things on post-development, Orlando says. \u201cSecuring software development is different from securing other infrastructure in the sense that we can\u2019t wait for a system to enter production before we start to care about it. It requires partnering with and supporting development teams versus imposing additional work that may cause delays. The goal of this partnership is to weave assessment and remediation processes into the deployment pipeline as early as possible.\u201dThis means injecting security requirements into development sprints, providing timely feedback on bugs, and enabling development to meet its deadlines without sacrificing security, Orlando explains. \u201cThe security team must also act as a resource to keep developers apprised of application and infrastructure-specific threats and provide constructive guidance on how to address issues.\u201dDon\u2019t omit data compliance in software development trainingIt\u2019s becoming increasingly important to address the complexities of data storage requirements for personally identifiable information (PII) under regulations such GDPR, PCI DSS and others in developer-specific cybersecurity training, says Ricks. \u201cIt is the developer\u2019s job to build the code so that the data is no longer identifiable. Their security awareness program needs to touch on best practices for encrypting data and anonymizing it so it follows compliance standards for storage. If the end-user requests their data or wants it removed from the system, the engineer has to know the best practices for coding this feature.\u201dMake cybersecurity training for developers engagingWhatever form of cybersecurity training, education, or information sharing a security team opts for, the most important aspect is that it is as engaging as it is relevant for developers. \u201cEffective training must involve collaborative, interactive skills building and micro-drilling\u2014not videos, multiple-choice questions, and tabletop exercises,\u201d says Sean Wright, lead application security SME at Immersive Labs. \u201cAlso, practical, real-world training is hugely important. Developers love coding, so getting them to actually code and get hands-on with some real vulnerabilities as part of the training makes it significantly more engaging, which means the information will stick.\u201dTying this into real-world business examples is particularly effective. Wright encourages the cybersecurity function to instill a \u201cwhy\u201d mindset among developers. \u201cWhy should I be concerned about this vulnerability? What does it mean for my organization if I leave it in? What is the broader impact? Training that gets this message across more effectively is more likely to result in better engagement, both in terms of willingness to take part in the training, as well as ensuring the information from the training really sinks in.\u201dIt\u2019s no secret that the SolarWinds compromise has increased overall awareness of cyberthreats surrounding software development teams, processes, and supply chains. However, common application attack methods such as SQL injection and cross-site scripting have been around for decades now and yet are consistently present in several of the top vulnerability lists whilst regularly flying under the radar of security programs. Organizations are still seemingly failing to truly address the people-centric, awareness-based issues that lead to such compromises, but as the ramifications of application supply chain vulnerabilities have proven this year, they are doing so at their peril.Time and resource issues within security teams will prove a potential hurdle to overcome in garnering a more collaborative, intel-sharing culture with the development function (Osterman\u2019s report discovered that 56% of security respondents do not have the necessary time to help the development team secure applications) but surely the old adage \u2018Give a man a fish, and you feed him for a day; show him how to catch fish, and you feed him for a lifetime\u2019 has never rung truer from a modern, organizational cybersecurity perspective.