Coaching is important in almost any profession, and in a creative field like development, you can add modifiers like hugely, massively and immeasurably to that description. When instilling the right concepts is key to writing effective, secure code, there's no better way to approach it (and fix bad habits) than sitting down with the developers themselves.
That said, knowing how to handle developer training and coaching is just as (hugely, massively, immeasurably) crucial. Teaching is about method and perspective as much as it is knowledge, and experience will always dictate what you say and how you say it.
It's easy to see how not having expert-level knowledge of a topic — or experience in which methods work and which don't — could become an issue. Take security, a facet of development so important it's become its own industry: If you're managing developers, you probably don't have time to become a full-blown security expert on the side, and that can seriously impact what sort of coaching or training you provide.
Fortunately, there's hope. Here's a general look at the developer-training cycle, plus a breakdown of how each step works to improve your organization's overall focus on security:
Bringing in experts who can help you find and resolve code-level security flaws is the first and arguably most important part of the whole process. Here, review has a dual meaning: You ask experts to look over the code, then go over the results with them to determine exactly where problems lie.
The benefits from an individual-project perspective are obvious — find a problem, fix that problem. But these reviews are also a great way for companies to instill various concepts and behaviors that proactively stop similar errors going forward. Implanting new ideas is all about providing actionable results, and showing your developers vital individual changes can open a dialog about the larger, more conceptual issues behind any problems.
Here's where the "coaching" part of the process comes into play, at least on a per-project basis: Experts can field questions from developers and dive deeper into individual issues, plus address any root causes or misconceptions.
This step can also be huge from a security-mindedness standpoint. Often, developers don't think their initial scan results are real because they don't understand how to look at their code from a security expert's point of view. Talking things over can help devs see the reality of the situation and inspire them to use their own code as a real-world example of the security theory they'd find in a textbook or e-learning course. That alone can be invaluable to both devs and businesses as a whole.
Once the why has been covered, experts will move on to the how by providing guidance on security fixes and explaining how devs can look them up in case they spring up elsewhere. What was true for coaching earlier is true here, too: Once devs know how to fix a problem and locate it in other strings of code, they've got a bit of experience that'll carry across multiple projects — or, hopefully, a whole career.
Here's where the developer grabs the reigns. After issues have been identified and questions answered, it's up to the company to remediate the error and scan for it again once they've applied a fix.
Assuming every other part of the process "clicks," so to speak, this part should take care of itself. If there are persistent issues, however, the cycle can begin anew.
Every business has different needs. That, plus the specifics of any support package a business chooses, will impact the nitty-gritty stuff that makes each consultation an individual experience. But no matter your business or issue, expert-guided developer training is sure to make the difference and help your organization more easily shift toward a proactive approach to security.
Photo Source: Wikimedia Commons