How to Train a Globally Distributed Development Team

Amanda Lee By Amanda Lee
February 10, 2016

How companies with successful AppSec programs train globally distributed teams on secure development practices and security guidelines.

Every large organization now has a complex and globally distributed software development process. It doesn’t matter whether your developers are in-house or out-sourced; based in Bangalore or Boston, the expectation is that quality, bug-free, secure software is built quickly and efficiently.  This provides the organization with the competitive edge it needs.  When developers cross language, cultural, time zone, and even organizational boundaries, this can create huge challenges in training and development, to ensure all developers are educated on the same standards, in the same way.

Veracode works with many clients who fit this description and for many, we have provided comprehensive training programmes, augmenting their existing AppSec initiatives and allowing them to build secure applications without sacrificing innovation and speed. When training across the globe, the only way to be successful is to build and execute a technology-focused, virtual model allowing rich connections between trainers and developer.

The following is a simple model to ensure global development teams get the best AppSec training possible.

The six C’s - Best Practices for App Sec Training for Globally Distributed Teams

1. Consistency - The formal delivery of all training is consistent.

  • There should be a set script for instructor-led training and a consistent format for eLearning
  • The look, feel, and path through the courses should be the same across all topics
  • All training sessions should provide a range of learning aids such as case studies, written text, summaries, tests etc
  • Every developer should have access to the same training with the same frequency

2. Control – client stipulates the frequency, style and attendance of the training with a test to prove skill level at the end

  • Client and developer group set up times/dates of training sessions with developers and has monthly meetings to confirm attendance and share feedback
  • Gain feedback from developer teams once a quarter in terms of format, frequency and style of all training materials
  • Execution and quality of content is governed alongside other elements of the AppSec program

3. Culture –Take into account regional and cultural differences

  • eLearning and, where possible, instructor-led training should be in local languages
  • Ensure that online resources are easy to navigate and in a range of media
  • Ensure that the training sessions include both Q&A slots as well as guided questions to encourage participation
  • Remove localizations or colloquialisms

4. Communication - Leveraging best technology to suits needs

  • Ensure good quality audio/visual facilities to share documents online
  • Provide a chat or help facility for ad hoc questions
  • Provide recorded sessions for any live sessions for developers to consume offline
  • Ensure simple language and examples throughout

5. Context – ensure that the content is comprehensive and relevant to the developer group

  • Client to pick from a list of training topics to ensure that sufficient relevant breadth and depth has been covered for each set of developers
  • Training topics to reflect the organization’s main languages, frameworks and threat environment
  • Instructor training to provide ample opportunity for questions and answers

6. Consulting - Enhanced, in depth, 1 on 1 technical consulting where necessary, to support live remediation and mitigation based on vulnerabilities found

  • Mandatory results review / readout calls set up after the initial scan of each app to perform more in-depth analysis of how to fix vulnerabilities
  • Optional, in-depth technical consulting can be added to existing AppSec programmes to enhance overall developer training, covering deep technical understanding of the application and environment as well as remediation plan development and completion

Amanda Lee is a Security Programme Manager for the largest Veracode programme which includes static, dynamic and third party scanning, remediation services, training, and software component analysis. She has 12 years programme management experience at a large consultancy before joining Veracode.