Mar 30, 2015
Whilst many organisations recognise the need to train their software developers in security, expensive and ineffective training programs are relatively commonplace.
In order to ensure your software developers can improve their security knowledge in an efficient and cost-effective way, it’s important to avoid the five software developer training mistakes most organisations make.
1) Assuming Developers Already Have Security Knowledge
Many organisations make the assumption that software developers already have a thorough understanding of security. In reality, most computer science degrees prioritise the teaching of theory and efficient software development, without emphasising security best practices in their syllabus.Many aspects of a software developer’s training and professional responsibilities mean that security practices take a backseat. Developers are judged primarily on their ability to create reliable, effective code, whilst working to incredibly tight deadlines. Their adherence to the best practices of writing secure code is rarely a priority, and can even contradict their primary goals. As such, developers rarely have an incentive to undertake security training off their own accord. Even if developers once had a through grounding in security, the constantly evolving nature of software development means that periodic refreshers are essential.As a result, it’s important that organisations don’t simply assume that their developers are well versed in secure development practices – and that they identify when developers need additional training, and take steps to implement it.
2) Only Using Classroom Training
A software developer’s time is an extremely valuable asset, and any activity that takes a developer away from a project will incur an organisation some degree of cost. In order to make security training as time and cost-effective as possible, it’s better for developers to enrol in an eLearning program, and avoid the classic classroom-style training programs:
- Classroom-style training requires developers to take significant time away from a project, incurring greater opportunity costs than eLearning courses, which can be engaged with on a flexible basis.
- Developers will often resent being removed mid-project, creating a barrier to effective engagement with the security course.
- Classroom courses offer limited scope for developers to refresh their knowledge, and learn about the latest security developments.
3) Not Refreshing Security Training
Rapid changes to technology and software development mean that the best practices of security are constantly evolving. As new bugs and exploits emerge, it’s vital for developers to stay abreast of developments, and ensure that their own practices are up-to-date.Whilst a one-off training program will improve security in the short-term, without periodic refresher courses, its benefits will gradually diminish. Thankfully, many eLearning courses offer modules catered towards ongoing development. These modules will be regularly updated, and thanks to the flexible nature of eLearning, can be accessed on a regular basis.In addition to periodic refreshers, it's also helpful to provide developers with a security knowledge base which can be easily accessed whilst they're programming.
4) Not Tailoring Training
Once your organisation realises the necessity of developer security training, it’s important to go a step further, and implement tailored training programs to suit the specific needs of a developer’s specialisation.Security issues are often specific to particular development environments, types of technology and coding language. Generic security training may not benefit particular developers, and may even overlook crucial security issues unique to a specific skill or role. Even if a security lesson is extremely relevant to a PHP developer, the lesson may not have the same benefit for a Java developer.The same principle applies to the methodology used by software developers. A project that uses the traditional waterfall methodology may have very different security concerns to one developed using the agile methodology; and security training needs to reflect these differences.
5) Not Assessing Developers’ Security Knowledge
It’s important for software developers to buy-in to the concept of security, and understand the need for security training. However, it’s still crucial for organisations to implement a structured and, to some extent, mandatory security program – and ensure that all members of the development team have a working understanding of security.A crucial part of this is regularly assessing the security knowledge of developers. Periodic testing of their security knowledge will encourage developers to undertake security training of their own accord, and allow your organisation to assess the efficacy of training programs.In doing so, you can demonstrate that your organisation values effective security practices, and incentivise developers to participate in security programs which improve their own knowledge.