Most new grads haven’t learned how to develop secure code. Here are four critical steps to create a secure development training program for your team.
An organization’s primary goal for new hires is to transition them from onboarding to productivity as quickly as possible. This being the case, each year, a new crop of intelligent, highly technical entry-level developers enter the job market. These new graduates may be trained in data structures, computer logic, and parallel computing. However, most don’t have the knowledge or experience to develop secure code.
This missing skill often costs an organization thousands of dollars in patching vulnerabilities stemming from unsecured code. Additionally, it’s important to consider the cost of losing business and sensitive information due to a variety of potential vulnerabilities.
For the first few months, an entry-level technical employee is focusing on getting acclimated to their new working environment. They’re finding their place on the team, working through strengths and weaknesses with their supervisor, and other standard onboarding activities.
During this transition, they should also undergo secure development training along with other standard training modules. Bolstering this critical element in their technical approach benefits both their career and the firm’s security stance in the long term.
Most entry-level developers don’t learn security in their undergraduate computer science programs. So the responsibility for secure developing training falls to your organization when you bring them onto the team. Consider also that even if they did take security courses in school, your organization might promote a different approach. Thus, you should conduct training internally to ensure that your development team members are all on the same page. Here are the four steps to go about this:
The Open Web Application Security Project has been tracking web application security flaws since 2003. Their OWASP Top 10 helps developers determine how an application might become vulnerable based on specific weaknesses. It identifies attack vectors, technical impacts, business impacts, and methods to prevent the most common types of security vulnerabilities. A strong resource for white papers, books, and monthly meetings of IT professionals, OWASP can help your organization establish this knowledge baseline.
Next, after your team has established a baseline of knowledge, you can narrow down the information to the issues that have the most impact on your organization. You can start by building specific training materials addressing your firm’s needs and goals. Senior developers and software architects should help develop these training materials. They hold a deep understanding of security and analyze the code being checked in daily. Another benefit of their involvement is that they’re also the members of the team who can best pinpoint software security flaws.
You can accomplish training in two parts. The first is through a classroom or lecture format. This training can include slides demonstrating both unsecured code and remediation advice on how to fix that code. For example, if your company has a heavy focus on .NET development, the slides should show .NET security features.
Part two of the training process is equally important. This second phase demonstrates how security and software development are intertwined. To start, present the new hires with a sample application. Use this sample to test theoretical training materials in a realistic scenario as they install an IDE, pull code from the code collaboration (versioning) software, and review and make changes to an enterprise-level application.
To emulate the software development life cycle (SDLC), you can provide trainees with a software requirements specification document outlining enhancements to the application. As they proceed, they can practice fixing the security flaws they discover. More importantly, moving through the simulated SDLC allows them to judge how well they learned the information from the theoretical security training. They also improve their ability to read other developers’ code and adapt their coding format.
After completing the assignment, the new hires should meet with senior developers to discuss how they went about implementing new features, discovering security flaws, and enacting solutions in the exercise.
Training employees on secure development early in their career encourages secure coding practices throughout their career. In other words, when employees learn to code securely and practice secure coding daily, they’re more likely to remember the fundamentals. In the long run, if you establish a strong secure development foundation in your employees, and continue to sprinkle security training here and there, the new skills will grow into healthy secure coding habits. Let’s establish this strong foundation to create a new crop of software engineers.
If you’re looking for software security training solutions, we’re here to help!
This post was originally published June 16, 2016, and refreshed June 17, 2020.
Antionette Parnther is a security consultant at Synopsys. She works with consumers on vulnerability assessments, secure code reviews, and security architecture reviews. Prior to Synopsys, Antionette spent 2 years with the Board of Governors of the Federal Reserve System as a Software Engineer. She holds a BA in Software and Information Systems and a MS in Information Technology from the University of North Carolina.