Organizations see even more benefits from combining developer security training with application security testing in an efficient, closed-loop cycle. Application security testing provides security risk awareness, and developer security training enables security capability across pipelines. Integrating developer security training into DevSecOps workflows often fosters two types of security capabilities among developers: defensive and offensive.
Defensive developer security training
Application security testing detects security risks within development projects, software passing through the pipeline on its way into production, and third-party assets ingested via the software supply chain. When testing tools (e.g., SAST, SCA, IAST, DAST) identify security issues, automated workflows assign remediation tasks to development teams. Developers can then review the assigned remediation task and review recommended security training to inform their code changes to address the issue.
This kind of defensive security accelerates time to remediation, reduces the research burden placed on developers, and eliminates the subjectivity of risk assessment between security and development teams.
Offensive developer security training
Development teams’ primary focus is on shipping functional software quickly. If that software contains vulnerabilities and insecure code, there can be delays to fix issues and refactor code, potentially derailing development on other versions, branches, or projects. Conversely, security teams have to review issues found by testing and prioritize the most-pressing ones for remediation, which takes time and resources.
Offensive security training helps developers avoid introducing issues during development. By learning secure coding techniques, developers can reduce the number of vulnerabilities and weaknesses within application code from the start, so there are fewer detected by application security testing at later stages in the SDLC or CI/CD pipelines.