We talked with Jared Ablon, President and Co-Founder at HackEDU, about the importance of engaging and customized training to develop secure coding practices and perform vulnerability assessments.
Tell us in a few words about your company’s services, for companies and hackers as well.
HackEDU provides award-winning secure coding training to help organizations reduce their application security risk. Our SaaS platform teaches developers offensive and defensive approaches by enabling them to create exploits and then fix them in a virtual sandbox. Developers love this practical approach to learning how to write secure code.
Why is your company’s approach successful? And what exactly do customized training and interactive content entail?
HackEDU redefines interactive training by asking developers to write and submit code to complete the training. An important aspect of quality training is using adult learning science principles to ensure knowledge retention. The key learning science principles that HackEDU uses are:
- training in context;
- learning by doing;
- immediate feedback for right and wrong answers.
In addition to our high-quality training approach, we also have Training Automation that helps Learning Administrators to easily, and even automatically create training programs that meet the application security needs of organizations and their developers.
By integrating the HackEDU Secure Coding Training Platform with Application Security Testing tools such as SAST (Static application security testing), DAST (Dynamic application security testing), and bug bounty tools, Adaptive Training Plans can be created based on actual vulnerabilities in an organization’s production applications. This is the most productive way to deliver targeted and relevant training to developers.
Name 2 or 3 essential principles of secure coding.
1. A comprehensive approach to secure coding is key. There is no silver bullet, so ensuring you cover all aspects of the Secure Software Development Lifecycle (SSDLC) will help mitigate the risk of vulnerabilities in software in a comprehensive way.
2. It is never too late to start secure coding. If you do not have a SSDLC, then work towards it. Many mature organizations have immature application security programs, so you are not necessarily behind. It is not all or nothing; take one step at a time and start improving today.
Your company organizes events like Capture the Flag and Coding and Hacking challenges. Can you tell us a bit about them?
Our Secure Coding Training Platform has a library of Challenges requiring learners to apply their secure coding knowledge. These Challenges can be put together in a Custom Training Plan and used as a CTF or Coding challenge. One of our customers, a marketing automation provider, deployed a CTF in this way. Their developers loved it so much that they had to assign more Challenges than initially planned.
Capture the Flag events are popular in the security community as they’re a fun way to challenge others in areas of security – mainly hacking. HackEDU’s platform has offensive-based challenges in which participants try to hack into a website or steal bank information in a safe sandboxed environment. Unlike many Capture the Flag platforms that focus on the offensive side of security, HackEDU also includes coding challenges. This is an opportunity for learners to find and fix vulnerabilities in software. HackEDU’s challenges offer a way for software developers to participate in CTF challenges that are similar to what security professionals have been doing for years.
One of the training approaches that really appeals to our customer base is our approach to offensive and defensive training. Enabling the Learner to execute an exploit in a safe and legal sandbox environment, to teach them how attacks work, and then to fix that vulnerability is both engaging and effective. There are many approaches to CTF events including Jeopardy and attack-defend. We find that software developers really enjoy the events when training is assigned prior to the CTF to aid in their preparedness.
We also recommend delivering challenges one at a time to drive developer focus for those who may not be as immersed in security. This enables developers to be successful rather than feeling frustrated because they don’t have the proper knowledge or hands-on experience. Using the CTF to apply and develope learning is a great way to reinforce learned concepts.
What do you believe is the number one cybersecurity threat that will challenge secure coding in the future?
Surprisingly, despite the ease with which this vulnerability is resolved, the number 1 application vulnerability has been SQL injection for several years. I would say that until all organizations have a quality secure development training program in place, SQL injection will continue to be prominent. So, in actuality, the number one cybersecurity threat might be a lack of commitment to quality education for developers to learn these critical skills.