Jun 06, 2018
Tired of wasting your time and energy on application security training that doesn't lead anywhere? Today, I'm looking at six problems that cause appsec training programs to falter and fail - and offering actionable advice on how to tackle the problems, and roll-out an effective application security training program.
1) Security isn't a Priority
In many organisations, the concept of application security is paid little more than lip-service. With growing media coverage of the risks posed by poor application security, it's a concept many people are aware of; but when push comes to shove, security always takes a back-seat. Investing in a training program is only step #1. To encourage people to take security seriously, you need to make application security a high-profile priority - making sure it's backed by the C-suite and publicised at all available opportunities.
2) Lack of Enforcement
Without enforcement, your employees will have no reason to engage with application security training. Thankfully, there are a few tried-and-tested tactics you can adopt to improve the efficacy of your training:
- Set a time frame for completion.
- Test employees on your security curriculum.
- Monitor adoption and completion rates.
- Recognise and reward security champions.
3) Poor Developer Adoption
In most organisations, developers simply aren't judged on the security of their code. Instead, their performance is scrutinised according to the speed of their development, and the efficacy and functionality of their code. As a result, security isn't prioritised, and training is treated as an unwelcome intrusion. However, by emphasising the importance of secure code, and the role developers have in facilitating it, it becomes possible to dramatically improve developer adoption.
4) Poor Communication Between Security and Development Teams
All too often, problems with appsec boil down to miscommunication between security teams and developers. With very different goals and responsibilities, it's extremely difficult to align the two around your organisation's security goals. However, by supplementing your application security training program with a developer knowledgebase, it's possible to empower your developers with the information required to make sense of security reports, and remediate quickly and efficiently.
5) You Lack the Right Skills
There's more to an effective application security program than security knowledge alone - and while many organisations will have security experts and experienced developers, few possess the teaching, mentoring and coordination skills required to make application security training work. Often, partnering with an external organisation will work wonders for your security: providing an expert outside perspective on everything from the best metrics for monitoring adoption and completion rates, to ways to improve the quality and efficacy of teaching.
6) No Culture of Security
Many of these problems stem from the lack of a secure culture within your organisation. Though a 'secure culture' may sound like a big, vague concept, you can start improving your organisation's understanding of security in simple, actionable steps, with security awareness training. By educating your entire organisation about the threats posed by poor security, you encourage everyone to take responsibility for the problem - not just developers and security teams.