Jul 25, 2018
In today's incredibly competitive software environment, developers are under immense pressure to create the latest functionality rich applications, on time, and on budget. These pressures make it hard for developers to improve their security knowledge. So, to reduce code vulnerabilities, and secure your latest developments, it's essential to roll out secure software development training. To help you overcome these hurdles, I'm looking at The 3 Pillars of Secure Software Development - and showing you how they can be used to roll out an effective developer training program.
1) Setting Security Standards
Codified standards make it possible to define the security requirements of different development projects. A secure development process can then be tightly defined, addressing the technical details of secure software design and implementation. This can be used to inform the syllabus and content of developer training, acting as a roadmap for the effective roll out of your training program. Clear security standards will also contribute to a secure organisational culture. This is an environment where security is at the forefront of every development project, and developers feels empowered to identify, raise awareness of, and take action on any potential security issues. The first step in creating a secure culture is the development of organisation-wide security awareness. This is most readily achieved by:
- Visible, top-down adoption of security standards – including the C-suite.
- Input from professional security experts.
- Regular security training.
2) Educating Developers
Armed with codified security standards, you can now develop an effective developer security training program. If security standards are designed to empower developers to take action on security threats, education provides them with the tools necessary to do so.For an effective roll out, your secure development training needs to be:
Developers work to high-pressure schedules and tight deadlines, and as a result, often struggle to prioritise secure development. To ensure training doesn’t interfere with current work, developers’ project plans need to explicitly include room for security training.
The easiest way to create engaging, non-invasive training is through the use of eLearning. By breaking training down into manageable 2-3 hour sections, developers can complete training at their own pace.
Developers have all manner of specialities, including different languages, platforms, methodologies and technologies. To keep training relevant, engaging and effective, the course syllabus needs to be role-specific, and tailored to these specialities.
Receptive to Developer Feedback
Security training can be hard to sell to experienced developers. Wherever possible, training needs to acknowledge this, and strive to act on developer feedback. Training needs to evolve to suit the needs of developers, and wherever possible, address the developers’ most common security training complaints.
3) Assessing Security
In order to monitor the efficacy of your security training program, it’s essential to periodically assess its impact. There are two primary ways to do so:
Test Developer Knowledge
Computer-based developer training programs will make to easy to integrate periodic testing into the syllabus. Short tests at the end of modules can be used to assess a developer's understanding of the topic. This can be used to monitor improvements in performance, and shape the direction of future training. Course attendance and test completion can be used to monitor the roll out of the course, and help senior execs keep a track of the number of developers who have successfully completed each stage of the training course.
Test Code Security
Security training is designed to improve developer behaviour, in order to minimise the amount of bugs and vulnerabilities that make it into a finished product. In order to monitor how training is translating into improved security, it’s essential to regularly test code security, and measure the number of vulnerabilities making it into test.Comprehensive tools like penetration testing and static testing need to be used periodically, and complemented by frequent testing through more cost-effective methods, like pair programming. This process of basemarking and periodic benchmarking is a crucial part of monitoring the ROI of a security training program rollout.