As education goes virtual, it’s time to get SaaS-y on app security

As education goes virtual, it’s time to get SaaS-y on app security
(Image credit: Pexels)

Going back to school has a completely different meaning in 2020. While we continue adjusting and working through a global healthcare crisis of unthinkable proportions, it feels somehow out of touch to speak about the ’positives’, such as the democratization of online learning through Massive Open Online Courses (MOOCs). As the impact of the pandemic on our education system materializes, schools and universities find themselves at an inflection point, where critical decisions must be made to protect the welfare of staff and students.

The UK education system remains globally respected, but entrenched in legacy governance. At this pivotal time however, it can take an authoritative step forward to lead the sector’s cloud-first transformation on a global scale. As learning becomes virtualized, there is no better time for educational establishments to recalibrate their software development life cycle (SDLC) and cybersecurity plays an integral part.

Pivoting to the cloud for good reason

Cloud computing is a rare commercial success story to come out of the pandemic. Funding deals for cloud software vendors worldwide reached a three-year high of 97 during the second quarter of 2020, up from 76 during the same period in 2019, according to market intelligence firm CB Insights. A cloud-first strategy will futureproof education organizations as the need for online courses grows. What is surprising, however, is that the sector’s pivot to a new, digital normal is already in full flow. Indeed, there was a 91% surge in EdTech investment in the UK last year as disruptors began ‘rebundling’ the services offered by traditional institutions.

The shift towards cloud computing is reflected in the decisions being made about security investment as well. According to the ESG report on Modern Application Development Security, the top application security (AppSec) investment priority for organizations over the next 12 months will be securing their cloud application development process.

Time for app security teams to become SaaS-y

As the education sector moves from on-premise servers to the cloud, AppSec teams have a great opportunity – and responsibility – to review and reduce the risks held within existing applications.

This is no more apparent than in our tenth edition of the State of Software Security (SoSS) report, which found that while government and education institutions fell into the middle of the pack for the prevalence of severe flaws, they came next to last in terms of fixing those flaws. The biggest threat to the education sector, however, is its level of security debt, which came out on average 2.4X higher than that of the IT sector. This means there are critical vulnerabilities that have accumulated over time in the software used by education institutions. If exploited by malicious actors, these software flaws could trigger a disastrous data breach through a malware attack, resulting in a loss of public trust and possible regulatory fines.

In the new cloud reality, it’s vital that installation processes are fast and seamless, and the only way this can be achieved is through SaaS-enabled software scanning. If the education sector can start scanning remotely from day one without worrying about manual patching or updating later down the line, schools and universities can hit the ground running with peace of mind for the future. This is the next frontier of application security.

The “all-in” mentality in paying down security debt

Our SoSS research also told us how regular scanning helps organizations reduce their security debt. Currently, the majority (90 percent) of the government & education sector scans applications 12 or fewer times per year, explaining why it struggles to pay down security debt. Just like your personal credit card, it’s hard to make a dent in what you owe if you only make a few payments a year.

So how can the education sector improve the security of its software?

It requires an “all-in” mentality to reduce the risk posed by software vulnerabilities, with an onus on app developers to spend time reviewing the robustness of their creations. To achieve this, developer cybersecurity training is more critical than ever, but data shows us the industry isn’t taking it quite as seriously as it should. The recent ESG survey report also highlighted that only 20 percent of surveyed organizations offer security training to new developers who join their company, and 35 percent say that less than half of their developers even participate in formal training to begin with.

While robust AppSec tools help developers learn as they code to get ahead of flaws before deployment, regular, engaging training is required to help them juggle the demand for security with the need for speed. Ultimately, the perfect pairing of training and tools means less time spent fixing flaws and more time flexing creative muscles to help their organizations stay ahead of the competition.

The true potential of education is about to be unlocked

As education shifts from the lecture hall to online, the ability to work from anywhere is essential for teachers and students alike. The need for a SaaS-based AppSec platform is essential to keep learning accessible, secure and alive.

The impact of education on socio-economic growth is almost incomparable. With its potential so vast, online tuition is about to explode, not only in the UK but across the world. We’re fortunate to live in a time when learning is quite literally at our fingertips. Now we just need to keep it secure.

Paul Farrington
Paul Farrington is the Director of EMEA Solution Architects at Veracode.