Overcome the gap in your developers’ education, and lower your application security risk, with these best practices for security training for developers.
As the builders of applications, developers are on the front line in defending those applications against security threats. But most developers don’t have the training to make sure the code they create is secure. As a result, their work might be riddled with vulnerabilities that open the door for hackers to access sensitive data and systems.
Security testing helps catch vulnerabilities before applications go to production. But when the security team identifies issues in code, they have to send that code back to developers for remediation, resulting in rework, delays, and frustration for everyone involved.
It’s clear that if developers had better training in secure coding, fewer security issues would make it to the testing stage, and releases would be faster and less frustrating. So why the gap in developer training?
In part, developers don’t focus on security because they’re “builders,” not “breakers.” Software development is more a creative endeavor than it is a rigorous engineering process.
Developers’ primary job is to create features that work—not to worry about what might go wrong. They accomplish their task by combining known processes and procedures in innovative ways. In doing so, they focus on building strengths and fail to consider potential weaknesses.
Compare the mindset of developers to the iterative design process that engineers follow in, for example, bridge construction.
We’ve built bridges for thousands of years. Over that time, many have failed. When a bridge collapses, engineers analyze the failure and refine their model. They learn lessons from what doesn’t work and share their knowledge with others. Over time, the lessons learned have led engineers to build more stable, reliable bridges.
By contrast, we have only a few decades of experience with software security breaches. Therefore, most developers haven’t developed the rigor of building security into their code.
Another reason developers don’t focus on security is that they haven’t been trained to do so.
For most software developers, security training is an afterthought. Programming classes focus on creating functionality, not preventing threats. Many developers are self-taught and have little formal training—let alone any security training.
For those developers who do receive security training, it’s typically inadequate. Code examples are often incomplete and don’t demonstrate the full scope of security issues. The instructors might not even have expertise in security topics.
What’s more, security threats evolve rapidly. By the time developers need to apply the knowledge they’ve learned in the classroom, the information might be out of date. Or the languages and frameworks they use on the job might differ significantly—and have different inherent weaknesses—from the languages and frameworks used in their classes.
Once they’re in the workforce, most developers have few opportunities to train. Because their time is expensive, they have to focus on creating unique functionality and getting applications out the door.
But there’s a better approach to security training for developers.
How can you ensure that your developers are well trained in secure development? Consider the following best practices when you’re looking for or creating a training program for your team:
Provide hands-on exercises. Developers are natural problem-solvers and love a challenge. They’ll learn much more from practical examples that allow them to solve real-life scenarios than from lectures.
Make the courses relevant. Guidance, case studies, and examples should match the technology and platforms that the developers are currently using.
Use engaging demos. Capture developers’ attention with hacking demos. Not only will they learn more about the black hat mindset they are up against, but they’ll also understand why they need to validate and sanitize input and think through what might happen if something were to break.
Consider online training. Although less interactive than instructor-led training, e-learning courses allow developers to participate in security training when they have time. E-learning is ideally suited for teaching certain complex material so that learners can review it again and again if needed.
Provide incentives. Encourage developers to make time for training by offering a reward for every course or series of courses completed.
Filling in your developers’ knowledge gaps can pay huge dividends. With the right security training, your developers can learn how to create code that’s both functional and secure, saving your organization a lot of time and effort.
Synopsys helps developers stay up to date with application security with both on-site and on-demand training.
This post was originally published June 18, 2015, and refreshed May 13, 2020.