Posted by Ashutosh Agrawal on September 28, 2016
Security training is an investment that yields critical returns to both the organization and the organization’s most valuable asset—its people. Training can directly impact key metrics like bug density ratios and time to remediation if it is implemented effectively. Today, I’ll highlight three ways that application security training can effectively benefit your long-term security strategy and mature your software security program.
Let’s cast our lines into the world of security training:
Competency management is particularly important when approached from a training perspective. Building competency management capabilities allow an organization to create a knowledgeable workforce and promote a culture of software security throughout the organization. One way that organizations can do this is to provide role-specific training. This also includes computer-based training programs.
At the very least, organizations should deliver an annual software security refresher course that all employees working in the software development process are required to attend. These refresher courses keep staff up-to-date on emerging and shifting security topics and ensure that the organization doesn’t lose focus due to turnover.
Continual training and mentorship are critical to maintain the competency of the team. They also enhance the effectiveness of other investments in software security such as static code review and penetration testing.
Organizations can use security training as a preventative control to secure their software. The software security industry is dominated by more black hat security expertise than white hat secure development know-how. The number of attack vectors and software-induced security risks continue increasing with the rise in new technologies. However, the industry remains crippled by its inability to combat such risks.
As the software security industry matures, more organizations are starting to realize the importance of vulnerability prevention. Awareness is also rising around vulnerability identification and remediation. Providing training and reference materials on secure coding best practices educates developers on proactively preventing common vulnerabilities. Additionally, providing real-time security tools to developers enables them to self-correct behavior much faster and earlier within the project life cycle.
Organizations can use security training as a mechanism to create active, effective security experts within the development organization. Thus, leading to scaled fulfillment of the secure development methodology and leading development teams to improve the quality of software. These experts (often referred as Security Champions) act as the resident security experts for one or more development groups, as needed.
In order to provide both breadth of knowledge and depth of skill, the training for a Security Champion relies on a combination of computer-based training courses and hands-on learning. Make training explicitly role-based to enable trainees to benefit most effectively from the curriculum. Structure the curriculum to build knowledge sequentially and also account for different learning methodologies in computer-based and instructor-led training environments.
If applied effectively, security training can help organizations build key software security initiative (SSI) capabilities. It is particularly true of competency management, proactively preventing vulnerabilities from being introduced into the code, and allowing InfoSec teams to mint Security Champions within the organization.
Investing in security training can yield long-term benefits to the organization and help reel in the overall cost when it comes to identifying, remediating, and preventing security issues.