Give Developers Training That Actually Helps

Do you have a security education program for your developers? I hope so. Although developers are certainly capable of writing quality, secure code, most were never trained in security. They just don't know what they don't know.

When I was actively developing enterprise software, I would visit the bookstore to purchase books on the technologies that I was using. These books were hundreds of pages long and cost about $60. In the end, there might be about 30-40 pages that I found useful. I was happy for those pages, but lamented the wasted time and cash for the stuff that didn't apply to me.

On-demand eLearning can suffer from the same drawback. For example, a secure Java coding course gives a great overview, but likely contains lessons and examples that do not apply to your developers. However, any great AppSec program will have some sort of on-demand eLearning program for developers. We have measured that teams using eLearning do remarkably better than teams that do not – seeing a 6x greater reduction in flaw density, according to our research for the latest State of Software Security report.

If you have a mature AppSec program, you can do even better. My definition of a mature AppSec program has several components:

1. A clearly defined and communicated security policy

2. Regular automated scans of the entire application

3. A way to aggregate security results

If you have these components already, then you are off to a great start. The next thing on your list should be to measure and track the most frequently introduced vulnerabilities, probably by CWE (Common Weakness Enumeration). This information will tell you exactly what your developers are struggling with. This metadata allows you to turn the blunt instrument of secure coding into the scalpel of a timely and entirely relevant learning lunch or instructor-led training session. Fill a room with pizzas and developers, and talk to them about a problem that they are currently struggling with. They will certainly pay closer attention to this specific help (in between bites of pizza).

Because you're regularly scanning, you can now measure the impact of your training on the teams you have helped. You should see a steady decrease in the number of those specific vulnerabilities over time. This ROI can be used to justify more expenditures for training. Lather, rinse, repeat.


Leave a Reply