May 29, 2017
There's a missing link in your application security: a training knowledgebase. To help improve the efficacy of your security training roll-out, I'm exploring the purpose of a knowledgebase - and looking at six reasons for implementing one in your organisation.
1) It's Everything Secure Developers Need, In One Place
There's more to effective security training than classroom sessions and online tests. For developers to effectively engage with training, and learn to apply its principles in a real-world setting, they need a way to revisit their training. They need access to a resource that compiles all of the advice, insights and examples of their security training in a single, easy-to-access place.
A security knowledgebase (like our own Team Mentor) provides easy access to thousands of security artifacts. From advice on application design, to individual examples of the latest vulnerabilities, it provides a one-stop shop for developers to brush-up on their training.
When a cross-site scripting or buffer overflow problem emerges, it provides developers with immediate access to the information they need to effectively remediate. There's no need to pore over a Google search, or scour development forums for advice - and developers can learn about each vulnerability, and its countermeasures, at the click of a button.
2) It Offers Role-Specific Advice
Even if developers are able to learn about a vulnerability from an internet search, there's no guarantee the solution will be relevant to their particular role. Remediation advice needs to be specific to a developer's individual role, whether they're an architect or a Java developer. Whilst generic advice may help developers to understand their problem, it'll do nothing to help them effectively remediate it.
A training knowledgebase makes it possible to search for this type of role-specific information. As well as indexing content by individual vulnerability and bug, it makes it possible to search by role and specialisation - allowing developers of all stripes to find information specific and helpful to their individual role.
3) It's Customisable to Your Team's Standards
Many organisations and development teams have their own set of internal standards and development rules. When a vulnerability appears, these rules may prevent developers from following the best practices detailed in security courses and online advice. This can often mean that otherwise useful information can't be used to remediate - leaving developers with no recourse for fixing vulnerabilities.
Thankfully, a training knowledgebase should be more than a simple respository of information. Thanks to its customisable nature, the information and best practice outlined in a training knowledgebase can be customised to the unique needs of the development team. It makes it easy to centralise development standards; and where these standards contradict remediation advice, fellow team members can explain how they've overcome the problem in the past, and detail their own solutions. This makes it possible to create an archive of successful remediation strategies, unique to the rules and standards of each development team.
4) It Improves Developer/Security Communication
Many organisations struggle with the security team/development team dynamic. Without security education, development teams find it difficult to respond to the vulnerabilities and bugs identified by security's testing. Without the ability to remediate, the same problems appear the next time security test - leading to growing friction between the two teams.
With a developer knowledgebase, security teams can quickly and easily point development teams to the information they need to remediate the problems detected by security. Instead of dumping a damning report on their desk, and telling the developers that their baby's ugly, security can soften the blow - providing actionable advice for fixing problems, and helping both teams to improve the results of the next test.
5) It Gives Developers Real Code Examples
Tools like Quick Scan and Fortify can be helpful for identifying problems, but in most instances, the remediation advice they offer isn't great. Without role-specific information, and actionable advice to follow, it's extremely hard for developers to use their security knowledge to fix real-world problems.
Thankfully, the best developer knowledgebases will actually integrate with these static code analysers. Tests can be run, and when problems are identified, developers will be able to find real-time solutions to problems, as they appear. As well as providing general advice around each problem, they'll be able to use actual code examples to streamline the remediation process.
As well as saving development and security teams a ton of time, this makes it easier than ever for developers to learn from their mistakes - identifying problems as they appear, and learning the code needed to prevent these problems from recurring.
6) It Improves the Efficacy of Security Education
Organisations everywhere understand the growing need for application security, and many even choose to roll-out an application security training course. However, the lessons and insights learned by developers will fade over time - and a few weeks and months down the line, there's no guarantee that developers will be able to apply their knowledge to the real-world.
Security education is the key to finding and solving vulnerabilities early in the SDLC; and a training knowledgebase is a crucial component of making that education as effective as possible. By providing developers with an easy-to-access repository of effective, customisable security knowledge and detailed examples, you can ensure that every penny of your security training investment is used as effectively as possible.
To learn more about the best way to roll-out an application security training program, download our free whitepaper below.