This article is a repost from Cybernews on April 2, 2022.
Jared Ablon, HackEDU: "organizations don’t have to be massive corporations to be appealing cyberattack targets"
Now that everyone spends a significantly larger proportion of their time in the digital space, cybercriminals are more active than ever, trying to exploit existing vulnerabilities.
The switch to remote work created a bigger attack surface for cybercriminals. The use of personal devices and networks resulted in having more vulnerable spots.
Luckily, home users can protect all of their browsing activity with a VPN, as well as prevent malware infiltration with a robust antivirus. However, for corporations, it’s vital to secure applications from the inside as well.
According to Jared Ablon, the President and Co-Founder of HackEDU, a company that specializes in secure coding training, developers must improve their skills in secure coding. So, today we’ll talk about effective secure code training, the most prominent cyber threats, and ways to start a career in cybersecurity.
Let’s go back to the HackEDU launch in 2017. How did it all begin?
Well, my Co-Founder, Matt Koskela, and I were both working at AirMap. Matt was the VP of Product and I was the CISO. We were working together to ensure the software we were developing was secure and learned quickly that there wasn’t a good hands-on solution in the market to teach developers how to write secure code.
We created and delivered an in-person time-intensive course for our developers where they tried to hack applications and look at the issues with the code. So, we saw the impact great hands-on training can have. When you also consider that 0 out of 40 top higher-ed programs don’t teach secure coding in their curriculum, we determined there was a problem in the market that we could solve.
So, together we built sandboxes, with lessons and challenges, that developers could use to learn how exploits work and how to find and fix vulnerabilities.
Can you introduce us to what you do? What are the main challenges you help navigate?
Nearly every industry depends on software to power its businesses and to serve its customers. The countless teams of developers tasked with creating, maintaining, and updating that software code – whether it’s an enterprise-grade platform or a streamlined mobile app – serve as one of the most well-positioned professionals. They help to protect the very software they work with each day.
Through regular secure coding training, teams of developers can create a culture of security at the onset, fine-tuning their skills in adaptive training that shows them how hackers analyze their code. It’s real-world training that incentivizes excellence among developers.
As a result, code becomes more secure, vulnerabilities are found before launch or major updates, and users gain a superior experience. It’s a truly foundational approach that plays a huge role in preventing many of the attacks we hear about every day on the news.
How do you make coding training both entertaining and educational?
We find that developers love our training because we give them applicable skills and knowledge in a hands-on environment with real tools and applications that help them do their jobs better.
HackEDU’s training includes lessons that recreate actual known attacks that are in the nightly news, so developers know they’re receiving training that’s highly valuable and relevant.
This purpose-built training is very useful because we help companies create automated training plans using the vulnerability information found in their code via SAST and DAST tools. There’s no wasted time in our training programs.
Additionally, companies can choose to incentivize secure coding training through gift cards or cryptocurrency if they need to.
What career paths are available for a person interested in hacking?
If someone is interested in hacking, we can only hope they want to use those skills for good – such as assisting organizations in improving their security posture. HackEDU provides the training to arm ethical hackers with the tools in a sandbox which is a safe and legal environment to learn how to identify such vulnerabilities while also exploring the implications of exploiting them.
Have you noticed any new threats arise as a result of the current global events?
The current international conflict has created a long list of repercussions. From nation-state attacks to those acting completely independently, it’s clear that cyber actors are seeking to take full advantage of the situation. And organizations don’t have to be massive global corporations or large governmental agencies to be appealing cyberattack targets. Of course, vital utilities, infrastructure, and financial institutions are constant targets. However, from small franchises and dental offices to family-run transportation businesses and nearly every other type of main street business that uses the internet can fall victim as a result of vulnerabilities found in their systems. We’re proud that HackEDU plays a role in helping developers learn how to reduce the number of vulnerabilities – and does so in an ongoing, ever-innovating manner. We feel the HackEDU approach keeps developer interest high and software that much stronger, in the face of today’s ever-evolving threat landscape.
Why do you think organizations push employee cybersecurity training to the background?
Employee cybersecurity training is one item in a long list of responsibilities that an InfoSec professional has in their objectives to protect their organization. Since delivering an employee training program is not a typical skill set of InfoSec professionals, it easily gets pushed to the bottom of their priority list.
However, just like with any profession, such as healthcare, higher education, military roles, and others, ongoing training is necessary to keep skills fresh and should get a high priority. Especially when this cybersecurity training might be the first time that employees have received any actual education on the subject.
Additionally, most employees/developers see required training as a burden. So if you focus on getting training that is hands-on, relevant, engaging, and effective, then users will be more interested in taking it.
In your opinion, what threats and vulnerabilities should modern companies, as well as individual users, be on the lookout for? What measures help combat these threats?
Companies should focus on the fundamentals of security. SQL injection continues to be number one on the Open Web Application Security Project (OWASP) Top 10 list and has been for more than a dozen years. This particular threat is fairly easy to prepare for if developers have been trained to write secure code. HackEDU recommends monthly training for all of the potential threats on the OWASP Top 10 list that teaches developers how to protect their software from each of these attacks.
What tips would you give to someone looking to break into the cybersecurity industry?
Protecting organizations from cyberattacks is an incredibly important mission with great opportunities for personal reward and growth. Most organizations are looking for people with experience because everyone doesn't show the necessary skills. However, focus on learning the fundamentals of security and try to get a job where you can learn the basics of technology, networking, and software. Top security professionals can come from all sorts of backgrounds: IT admins, music majors, software, and risk management.
Would you like to share what’s next for HackEDU?
At HackEDU we are growing and adding resources to create more training content for deeper levels of learning for developers and DevSecOps. We will continue to add content that replicates actual attacks so that we can teach how the exploits work and how to prevent similar attacks in the future. In addition, we will be adding features to further engage and help change developer behavior. We look forward to continuing our mission of helping organizations decrease vulnerabilities!