Developer training has an essential role in reducing code vulnerabilities and avoiding a breach. Effective application security requires both locating security-related defects, and fixing them. But developers simply aren’t equipped with the knowledge or skills they need to fix these flaws. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security. The good news is that getting developers the security training they need makes a big difference. Data collected for our State of Software Security report revealed that eLearning on secure coding improved developer fix rates by 19 percent; even better, remediation coaching improved fix rates by a whopping 88 percent.
Clearly, developer training on secure coding is both needed and effective. The following are some key elements to keep in mind when establishing security-training initiatives for development teams.
Consider employing a variety of training types to accommodate different learning styles and preferences, time zone differences, and to allow for both quick insights and deep dives. For instance, consider both self-paced eLearning training along with periodic instructor-led training.
In terms of content, ensure the training is both role- and technology-specific. For instance, different programming languages have different security idiosyncrasies, and each has its own propensity for different vulnerability types, so it’s important that your training is specific to your language.
Reinforce traditional training with on-the-job learning. When developers get instant feedback and learn to code securely as they are actively coding, they create more secure code faster and make less security missteps going forward. And some application security testing solutions offer this option. As our director of product marketing notes in a recent blog post, “The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.”
A recent Forrester report, Show, Don't Tell, Your Developers How To Write Secure Code, states that “the best application security testing tools … now come with good remediation advice for developers.” They recommend to “look for tools that include clickable and brief training modules and can be inserted as early into the SDLC as possible, such as spellchecker-like plug-ins to the integrated developer environment (IDE).”
For example, Veracode Greenlight, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, helping you answer the question “is my code secure?”
Greenlight provides on-the-job developer security training through:
Finally, one of the best ways to reinforce all your security training efforts is to employ security champions on your development teams. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ﬁx the issues in development or call in your organization’s security experts to provide guidance.
With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.
Get details on additional application security best practices in our new Application Security Best Practices Handbook.
And get tips and tricks on managing your AppSec program from other Veracode customers in our Community.