How companies with successful AppSec programs train globally distributed teams on secure development practices and security guidelines.
Every large organization now has a complex and globally distributed software development process. It doesn’t matter whether your developers are in-house or out-sourced; based in Bangalore or Boston, the expectation is that quality, bug-free, secure software is built quickly and efficiently. This provides the organization with the competitive edge it needs. When developers cross language, cultural, time zone, and even organizational boundaries, this can create huge challenges in training and development, to ensure all developers are educated on the same standards, in the same way.
Veracode works with many clients who fit this description and for many, we have provided comprehensive training programmes, augmenting their existing AppSec initiatives and allowing them to build secure applications without sacrificing innovation and speed. When training across the globe, the only way to be successful is to build and execute a technology-focused, virtual model allowing rich connections between trainers and developer.
The following is a simple model to ensure global development teams get the best AppSec training possible.
The six C’s - Best Practices for App Sec Training for Globally Distributed Teams
1. Consistency - The formal delivery of all training is consistent.
There should be a set script for instructor-led training and a consistent format for eLearning
The look, feel, and path through the courses should be the same across all topics
All training sessions should provide a range of learning aids such as case studies, written text, summaries, tests etc
Every developer should have access to the same training with the same frequency
2. Control – client stipulates the frequency, style and attendance of the training with a test to prove skill level at the end
Client and developer group set up times/dates of training sessions with developers and has monthly meetings to confirm attendance and share feedback
Gain feedback from developer teams once a quarter in terms of format, frequency and style of all training materials
Execution and quality of content is governed alongside other elements of the AppSec program
3. Culture –Take into account regional and cultural differences
eLearning and, where possible, instructor-led training should be in local languages
Ensure that online resources are easy to navigate and in a range of media
Ensure that the training sessions include both Q&A slots as well as guided questions to encourage participation
Remove localizations or colloquialisms
4. Communication - Leveraging best technology to suits needs
Ensure good quality audio/visual facilities to share documents online
Provide a chat or help facility for ad hoc questions
Provide recorded sessions for any live sessions for developers to consume offline
Ensure simple language and examples throughout
5. Context – ensure that the content is comprehensive and relevant to the developer group
Client to pick from a list of training topics to ensure that sufficient relevant breadth and depth has been covered for each set of developers
Training topics to reflect the organization’s main languages, frameworks and threat environment
Instructor training to provide ample opportunity for questions and answers
6. Consulting - Enhanced, in depth, 1 on 1 technical consulting where necessary, to support live remediation and mitigation based on vulnerabilities found
Mandatory results review / readout calls set up after the initial scan of each app to perform more in-depth analysis of how to fix vulnerabilities
Optional, in-depth technical consulting can be added to existing AppSec programmes to enhance overall developer training, covering deep technical understanding of the application and environment as well as remediation plan development and completion
Amanda Lee is a Security Programme Manager for the largest Veracode programme which includes static, dynamic and third party scanning, remediation services, training, and software component analysis. She has 12 years programme management experience at a large consultancy before joining Veracode.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.