If you face any of these four software security training challenges, we have some tips to help you overcome them and get your team the training they need.
Security training for software developers is a critical element of organizational security. While it may not make them all security experts, if done right, it can transform your development team from a liability into one of your greatest assets.
Many organizations have the right intent—at least after they have been breached.
However, as is the case with any security control, it’s possible to implement training incorrectly. This post will discuss several common software security training challenges and recommend how to prevent or overcome them.
An all-too-frequent training paradigm prescribes a “scattershot” approach: Require all development team members to attend the same software security training, regardless of their roles. As a real-life example, one organization required that all their developers take a course on common attacks and defenses for web applications written in Java—even developers doing mainframe client-server maintenance in COBOL.
A good instructor will always try to focus material on the level of expertise and the needs of the students. But when a vast range of roles and expertise all attend the same course, this becomes incredibly difficult.
To be effective, training must complement the roles of the attendees. Software developers and testers require training with a heavy technical focus. Project managers need more of a business focus. Even training carried out to “check the box” for compliance (e.g., SOX, PCI, HIPAA) should be customized based on role. Otherwise, it’s likely to be a waste of time and money.
Beyond that, software security training should be engaging and interactive, including elements like hacking demos, hands-on exercises, and case studies. To be effective, courses must be relevant to the technology and platforms that the developers are currently using.
Finally, consider online training, or e-learning courses, that can be filtered by level, delivery, role, curriculum, and language. Although less interactive than instructor-led training, e-learning courses give developers the flexibility to access training when they have time and to review it whenever they need to.
And you can give it a push by providing incentives to developers. Encourage them to make time for training by offering a reward for every course or series of courses completed.
Training programs are often static year over year. But since software security is a facet of software engineering, it is constantly evolving. With few exceptions, if you encounter framework- or language-specific training that hasn’t been updated in the last five years, you should examine the course carefully to ensure it’s still relevant. Even if the technology itself hasn’t changed, attackers are using new or novel attacks and pivoting on previously used attacks to break into legacy systems.
If appropriate, and if the audience is sufficiently technical, software security training should include technical details of recent breaches. Students find these discussions interesting, even if they’re not working on the technology involved in the breach.
Anybody receiving software security training, including software developers and others in the software development practice, would want to know that their instructor has experienced challenges similar to what they face every day.
For example, it’s relatively simple to describe an SSL certificate management strategy based on a Java KeyStore. It makes a world of difference to trainees if the instructor can also give useful information about common KeyStore issues and how to debug them. If he or she can’t address anything that isn’t in the instruction script, trainees would probably be better off using Google to get the necessary information.
Like any other security control, software security training costs money. So to make the case for a training budget, it’s often helpful to frame it in terms of the potential cost of a data breach. There’s no shortage of data from research firms such as Ponemon, which found that in 2019, the average total cost of a data breach is the U.S. was $8.19 million, more than twice the global average. Additionally, the cost per compromised record was more for industries such as healthcare, life science, financial services, and transportation.
We’ve heard before that we were in a “golden age of hacking.” But we’re very much in another one, thanks to a global upheaval in the way we develop software and conduct business, as well as the continued explosive growth of the Internet of Things (IoT). When everything is a computer—dishwashers, refrigerators, toasters, thermostats, home security systems, cars, even roads and cities—the attack surface grows, hacking expands, new threats emerge, and the risk continues to rise.
The good news is that software security training has emerged as a fundamental part of software development, so you’ve got more training options than ever. Your competitors, especially those that have already been breached, have made software security training a priority. Don’t wait for a disaster before making effective training a priority for your organization.
This post was originally published Oct. 13, 2016, and refreshed July 20, 2020.