October is National Cyber Security Awareness Month (NCSAM), a commendable public-private initiative focused on training businesses and users in practicing better digital hygiene. If there’s one drawback to awareness programs like NCSAM, it’s the potential for awareness to spike in the short-term and fall off in the long-term.
Without follow-up training and continuous learning, security awareness programs accomplish little. Maybe you can check a box to comply with the CISO’s strategic plan, but really there’s no benefit to anyone from training that’s quickly forgotten.
Effective and lasting security awareness is important for everyone, but especially so for software developers. Software applications power the way people work and help businesses thrive, yet the application layer also represents the biggest cybersecurity risk. Whether you’re a developer or security professional, you understand that no one is more important to application security than the ones who write the code. Here are three ways to instill security awareness within the development team’s culture, all year round.
It’s no knock against developers to say secure coding isn’t their top priority. Security isn’t a part of most computer science curriculums and it’s not a typical part of a developer’s job description. Developers may be graded on quality, but their main directive is to meet performance and feature requirements and release code on schedule and under budget. Increasingly, however, security teams are putting pressure on developers to meet requirements that may clog up the development process and cause missed deadlines – a source of irritation for developers and pushback that security teams don’t like.
Developers need training that works for developers. Our research shows that training programs really do work, when they’re done right. We found that development organizations that use on-demand eLearning programs have a 30% higher fix rate than those without eLearning. Just as security assessments are more effective in the coding stage, training is more effective when developers can use training tools to fix code as they write it, such as short and easy-to-consume video courses.
Security teams – respond to developer concerns with tools and resources that don’t get in the way. And developers – give security a chance to succeed by showing them how to work with you.
Instead of imposing security training from outside the development team, encourage development to create a security culture from within. In our eBook Five Principles for Securing DevOps, we recommend building security champions in the development team. Security champions act as force multipliers who amplify security’s message without sounding like security dictators.
Security managers should incentivize one or more developers with a special interest in secure coding to take on a special developer liaison role, including as a peer trainer. Get them involved in designing your training program and rely on their input about what works and what doesn’t to improve your overall AppSec program.
Along the same lines, security training won’t work if it’s seen as a chore. Why not make it a fun and engaging process? Developers are hackers, too. If you’re a developer, take some ownership of your own security training and find ways to personalize and improve what the security team comes up with. For example, competitions to create the best training modules, peer tutoring days with free pizza and snacks, internal bug bounties or capture-the-flag challenges.
Finally, developers should consider that training-up in security is its own reward. Not only does training make your code quality better, it also makes you better at your job and more marketable for professional advancement.