How To Build An Appsec Training Program for Development Teams: A Conversation with Fred Pinkett

Zack Cronin By Zack Cronin
February 22, 2012

As organizations face a number of cyber security challenges heading into 2012, a more holistic application security approach that includes relevant training should be considered. Integrating developer training with static analysis and advanced remediation techniques will help reduce overall risk across your enterprise application portfolio, and will strengthen your security program as a result. In our most recent webinar, Fred Pinkett, VP of Product Management at Security Innovations and Jim Lynch, Product Manager at Veracode, discuss key strategies to implementing a formalized Application Security training program. The following are some highlights of the Q&A at the end of the discussion. Q:How do you build training programs to meet compliance requirements and audit?

Fred Pinkett: Because compliance is often a part of the funding, having your auditors sign off on what the program is going to be is important. The first thing I always say when working with development is actually talk to the auditors. A lot of us view them as the enemy and something we have to get past – really if you bring them into the process and if they are invested into the process, they can really help you understand what they see as a program that will meet particular compliance needs. Then you need to look of course at which regulations you will be measured against. Is it an internal audit, with internal standards? In that case you definitely have good access to the auditors, you definitely can work with them to build out the program. But if it’s things like PCI, then there’s absolutely PCI specific training that’s out there in a lot of these programs – so make sure that you would include that and be aware of the PCI principals. There’s PCI general awareness classes and ones that are specific for PCI developers that look at PCI from the perspective of it you are building an application, so you may want to look for that kind of training. Q: What should I look for in a training class? Fred Pinkett: Training quality is important for people to absorb the information – what the training is actually going to look like, and do, and use – that’s really key to what’s going to be important. When you’re doing the instructor-led side of it, obviously who the instructor is, their credentials, maybe see some samples of their work on video so you can get an idea if they’re engaging. But, on the computer based side it’s really pretty straight forward, there’s two styles of computer-based training. One of them is instructor led and recorded and you end up with kind of ‘talking head’ slides. The problem with that is it’s very easy to tune out, it’s very passive for the user – they’re just looking at the person talking and the slides flipping so I am not a big fan personally of that. But that is why we have chosen to build the training the way that we build it, which is truly more computer based and interactive, so you have voice over but you have interactive elements. Q: Any suggestions on how I can track and measure the success of impact of a training program? Fred Pinkett: We’ve actually seen companies do this in a number of different ways. We’ve seen some that use the assessments approach and basically will take a baseline and use that performance, sort of ‘taking their temperature’ at the start of a program and then either present the same assessment after a certain number of courses are completed, or more advanced exams after students have gone through a number of courses and compare the average scores across the organization. Some companies will actually just look at completion – so they will just look at it like, ‘we have a target of 100 developers taking ten courses over the next six months.’ And they will track their progress again by just completing a certain set of required courses they present in a curriculum to all their elearners. Those are the two major ways we typically see companies measure performance. Sometimes though exams are a comprehensive aggregate of all the courses that are assigned, other times the exams are just individual or specific to the courses. We see things in a number of different ways, thinking about it more from a long perspective, the third way is looking at your Veracode scan performance and taking a baseline of what your average application security score is before and after an elearning program is and seeing what your scan results look like after and tracking progress that way.

Proud to be one of Veracode’s first co-op employees, Zack is a student concentrating in management and marketing at Northeastern University. With this opportunity, he looks forward to the prospect of further developing the skills he has gained as a student and in other positions, positively contributing to Veracode’s marketing and sales efforts, and learning from and working with the Veracode marketing team!