Continuous learning programs need to be an inherent part of any software organization that hopes to be successful in the long run. Getting better at what you do in tandem with other developers is paramount. Code quality, design, understanding your tools and frameworks better, and learning new tools are all areas where you should focus a consistent internal training program. Security, in particular, needs a significant amount of attention when it comes to internal training. You only need to look at the past year's worst hacks to see why. Developers are the ones who are going to have to solve this industry problem. The code begins and ends with them when it comes to building in security and fixing vulnerabilities. It's imperative that developers understand security very well, rather than leaving it up to separate groups or security individuals.
So how do you get a continual training program off the ground that is on the same quality level as companies like Adobe and Cisco? It's actually very simple, and the resources are free. These steps were put together with the help of two security experts: Jim Bird of BIDS Trading Technology, and John Melton of WhiteHat Security.
Step 1 – Discover Your Team's Strengths and Weaknesses
First, have your team take the free Secure Coder Analytics Quiz. All you have to do is sign up and the site will create a unique link so that everyone on the team can take the quiz online. It quizzes respondents on 20 random questions from a pool of 500. The questions cover 60 different security topic areas including OWASP, WASC and PCI. When the team has finished taking the quiz, a dashboard will show all of the scores in a single view and it will clearly show where your team’s strengths and weaknesses lie in various security topics. If colleagues are worried that this would make them look bad to the rest of the team or their bosses, there's no need to worry. The results are anonymized.
Step 2 – Get Executive Support
This could be step number one in many cases, since you can't move forward without it, but it helps to have solid research to bring to your managers that indicates a clear need for security training. Getting executive support will show everyone in the organization that this is a priority that can't be ignored. And as we all know, if the bosses don't require something, it will usually be ignored.
Step 3 – Decide on Training Style
This step depends on the size and makeup of your organization. Smaller organizations or startups will want to try having shorter, in-person training sessions, preferably one-on-one sessions, or at least the sessions can include a one-on-one follow up. If your organization is much larger, computer-based trainings (CBTs) and online presentations are the only sane solution. Their big advantage is that they can scale to train large, geographically-distributed teams. Just don't let them be awful, unengaging lessons. You'll have to work especially hard to make CBT courses that developers don't hate.
Adobe's security training program is a great starting point and possible inspiration for your own training program. It certainly was for Cisco, which built their own program on the foundations of Adobe's program. The program is outlined on the Adobe blog (part one, part two, part three). It uses CBTs for the first few achievement levels (white and green belts), and then for brown and black belt levels, there is a point system based on security-focused experience. The best part is that these early training courses by Adobe are freely available on SAFEcode.org.
Also, make sure that many of these training sessions are applicable to the team’s technology stack. No one learns subjects very well when they can't take it and apply it to their own code.
Step 4 – Tool Up and Make Security Visible
In order for the team to care about the security training initiative, they have to see it making a concrete impact. You can show this by having tools that provide meaningful security metrics and at-a-glance security ratings for each application. Some tools that can do this include static code analysis utilities, SAST, DAST, IAST, and RASP. When these tools show that your training is having a tangible impact, you need to celebrate.
Step 5 – Create a Rewards Program
To celebrate the tangible impact or completion of security training milestones, you need to have a structured rewards program. This is pretty flexible and can be based on your team's preferences (i.e. whatever motivates them). Food, gift cards, paid conference trips, or other prizes are all good options. Bonuses and performance-based pay raises won't hurt either.
Step 6 – Nurture Security Champions
The real value of the training comes from the security champions. They will become core contributors in your development teams, and they will help continue building effective security training and provide support. These individuals will be the ones that go speak at conferences and solve the hard problems. Team managers should collaborate with security champions on what the security goals should be for their particuar situation. Champions should be given the freedom to research security issues and set security guidelines for the team. Their responsibilities should include meeting the goals set out for them and solving hard security problems.
Step 7 – Provide Plenty of Resources
This is by no means an exhaustive list, or a list that's specific to your team's particular needs, but it's an excellent foundation of free resources recommended by security experts:
Top General Resources
- OWASP Flagship Projects
- OWASP Top Ten
- SANS 25 Most Dangerous Software Errors
- CIS 20 Security Controls
- IEEE Center for Secure Design
- OWASP Cheat Sheets
- OWASP Proactive Controls
- OWASP Developer Guide
- OWASP Security Knowledge Framework
- DZone's 2015 Guide to Application Security
Purposely Vulnerable Applications (For Training)
Security Training is Worth It
More secure code doesn't just mean that you're preventing bad exploits from occuring. Writing secure code often translates to writing more reliable, readable, and high-performance code. So what you may not realize is that a security training program, by default, is a code quality program that will increase the quality and elegance of your team's code.