Posted by Antionette Parnther on June 16, 2016
An organization’s primary goal for new hires is to transition them from onboarding to productivity as quickly as possible. This being the case, each year, a new crop of intelligent, highly technical entry-level developers enter the job market. These new graduates may be trained in data structures, computer logic, and parallel computing. However, most don’t have the knowledge or experience to develop secure code.
This missing skill often costs an organization thousands of dollars in patching vulnerabilities stemming from unsecured code. Additionally, it’s important to consider the cost of losing business and sensitive information due to a variety of potential vulnerabilities.
During the first few months in their new role, an entry-level technical employee is focusing on getting acclimated to their new working environment. They’re finding their place on the team, working through strengths and weaknesses with their supervisor, and other standard onboarding activities. During this transition, they should also undergo secure development training along with other standard training modules. Bolstering this critical element into their technical approach benefits both their career and the firm’s security stance in the long-term.
Since most entry-level developers don’t learn security in their undergraduate computer science program, the responsibility falls to your organization when bringing them onto the team. Another important element to consider is that even if they do take security courses in school, your organization may promote a different approach. Thus, conduct training internally to ensure that your development team members are all on the same page. Here are the four steps you need to know in order to go about this:
The OWASP Top 10 has been tracking application security flaws for over a decade. OWASP helps developers determine if an application is vulnerable. It identifies attack vectors, technical impacts, business impacts, and methods to prevent the top security vulnerabilities. A strong resource for white papers, books, and monthly meetings of IT professionals, OWASP can help your organization establish this knowledge baseline.
Next, with a baseline of knowledge, narrow down the information to what drives the most impact within your organization. Build specific training materials addressing your firm’s needs and goals. Senior developers and software architects should play a major part in the development of these training materials. They hold a deep understanding of security and analyze code being checked in on a daily basis. Another benefit of their involvement is that they’re also the members of the team who can best pinpoint software security flaws.
Training can be accomplished in two parts. The first is through a classroom or lecture format. This can include slides demonstrating unsecured code and remediation advice illustrating how to fix that code. For example, as a result of your company’s heavy focus on .NET development, the slides should portray .NET security features.
Part two of the training process is equally important. This second phase demonstrates how security and software development are intertwined. First off, present the new hires with a sample application. Use this sample to test theoretical training materials in a realistic scenario and to install an IDE, pull code from a code collaboration (versioning) software, and review and make changes to an enterprise-level application.
To emulate the software development life cycle (SDLC), new hires should receive a software requirements specification document with enhancements for the application while they proceed in fixing security flaws they discover. More importantly, moving through the SDLC allows them to judge how they retain the information from the theoretical security training, and their ability to read other developers’ code and adapt that to their coding format.
After completing the assignment, the new hires should meet with senior developers to review how they went about implementing new features, discovering security flaws, and enacting solutions in the exercise.
Training employees on secure development early in the career progression encourages secure coding practices throughout their career. In other words, when an employee learns to code securely and practice secure coding daily, it’s doubtful that they’ll forget the fundamentals. In the long run, if employers sprinkle security training here and there on top of the strong foundations, the new skills will grow into healthy secure coding habits. Let’s establish this strong foundation to create a new crop of software engineers.
If you’re looking for software security training solutions, we’re here to help!
Get the latest AppSec news and trends sent directly to you.