On the first night of BlackHat USA, I chatted with some friendly penetration testers who were perplexed when I told them I was a developer.
Why would you be at a cybersecurity conference?
…What did you hope to get out of this?
My general (and perhaps vague) response to them, and to other people I met who would be perplexed by my attendance at both black hat and DefConwas that he wanted better cybersecurity education, particularly around the development of AI.
Despite my conviction, I admit that I felt a little out of place. Security conferences like BlackHat and DefCon are often considered the domain of penetration testers, security analysts, and ethical hackers, among others. Both cybersecurity conferences are respected in their own right. And at both I met brilliant engineers, thought-provoking speakers, and world-renowned researchers.
However, none of the people I met were developers.
Having attended both events for the first time, I can speak from experience when I say that developers have a lot to gain from attending a cybersecurity conference. Here are five compelling reasons why developers should consider making cybersecurity conferences part of their professional development:
As mentioned in multiple talks at BlackHat, developers and security professionals are in two different camps and don’t mix as much as they should.
But innovation and security are completely intertwined, regardless of job description or organizational divisions, and this arguably begins at the code level. The adoption of Shift Left has placed more emphasis on ensuring code quality and security early in the software development lifecycle; but a desire producing secure code is not the same as knowledge as.
Training (or knowledge of training) certainly contributes to this. little more than half of software developers surveyed by The Linux Foundation and OpenSSF reported that they had never taken a course on secure software development, in part because they didn’t know of a good course (although not having time was an equally important reason). This lack of awareness and training could be an explanation why 71% of organizations have securities debt.and 46% of these organizations are considered to have “critical” security debt.
Why would an organization spend time addressing its security debt unless it understood its importance?
Or worse yet, if they don’t know they have it?
(This was also part of the inspiration for my Cisco DevNet podcast, The voice of DevSec. The program aims to bridge the gap between developers and the cybersecurity community).
If you delve into articles and documentaries about the major cybersecurity scandals of the 90s and 2000s, you’ll notice a recurring theme: People just didn’t think about cybersecurity back then..
But I’ll be honest: I graduated with a Master’s in Software Engineering in 2021, and at the time, security was hardly an afterthought, let alone emphasized.
And I’m not alone in this. While statistics on developers feeling confident writing secure code appear to vary widely, according to the Developer-Driven State of Security Survey (conducted by Evans Data Corp for Secure Code Warrior), only 35% of developers They consider their teams to have “excellent competence” in writing vulnerability-free code.
Having a practical understanding of how to write vulnerability-free code can help reduce that security debt I mentioned earlier.
When you attend a cybersecurity conference, you not only begin to learn practical code security through DevSec/AppSec talks, but you also begin to cultivate a security-focused development pipeline.
If cybersecurity threats are constantly evolving, so should our mitigation strategies and security practices. Generative AI (GenAI) was a big topic of interest at BlackHat this year, in part because as fast as GenAI and related tools are being produced, we’ve barely scratched the surface of security best practice standards or discovering new attacks. . Developers and other engineers involved in GenAI have an ethical responsibility to understand the security and privacy risks of the GenAI they are developing and supporting.
DefCon has a lot to offer, but one of the highlights for me, as a first-time attendee, was definitely the Villages. There are several different cybersecurity “villages,” ranging from artificial intelligence security to social engineering and biohacking, where visitors can participate in hands-on activities. For example, AI Security Village let you create your own deepfake, and I tested LLM’s red team through a Capture the Flag (CTF)-style experience.
What is good practice is often not reality. Developers can work long hours and under immense pressure, and while most developers I know pride themselves on producing high-quality code, there can be numerous obstacles to doing so.
By having developers at the (metaphorical) cybersecurity table, we can help the cybersecurity industry know what developers need to consistently produce secure code. This could mean that we have improved the representation of DevSec/AppSec conversation tracking; or that we inspire the development of security tools and processes that make our lives easier instead of induce exhaustion.
And the most important of all?
A practical cybersecurity education allows us to confidently create impactful applications, staying true to what inspired us to become developers in the first place.
Subscribe to our youtube channel to receive notifications about episodes of our new podcast, The voice of DevSec. The program aims to bridge the gap between developers and the cybersecurity community through relaxed and insightful conversations.
Share:
