Unifying AppSec Training and Development

Most developers don’t learn about secure coding in the college IT programs. And once they join the workforce, they often don’t have the time to learn about secure coding. 

The responsibility of training developers in secure coding best practices usually falls on security practitioners. Security practitioners are notoriously overworked, often lacking the bandwidth to train developers.  Organizations are thus turning to AppSec learning experiences built specifically for development teams. These learning experiences deliver the tools and skills needed to keep an AppSec program on track. 

According to PeerSpot, the number one ranked solution in application security training software is Veracode Security Labs, which gives developers tools and hands-on training to tackle modern threats and adopt secure coding practices. PeerSpot members who use the platform share why it is deserving of its high ranking.

Making the Choice for Veracode Security Labs

Veracode Security Labs empowers developers with the knowledge and tools to help them identify potential software vulnerabilities in real-time. For a VP of Engineering at a tech services company, their primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. They also use it for security training for developers.

An Application Security Engineer at a financial services firm has used Veracode's Secure Coding Challenges, a competition hosted by Veracode where community members work through the training in a time-limited fashion. He stated, “I am an application developer, so the Veracode Security Labs are directly relevant to my work. They help illuminate common coding problems and walk through the appropriate way to fix them.”

Dynamic and static scanning of web applications is the use cases embraced by a tech services company’s Chief Technology Officer. He explained, “The application is cloud-based in a major cloud provider. We schedule scans at regular intervals that support various compliance efforts within the enterprise. The application has a modern design with a responsive UI that adapts to the display of the device being used.”

Organizational Benefits of AppSec Training

PeerSpot members are reaping the benefits of Veracode Security Labs in many ways. After utilizing the platform for two years, the chief technology officer feels his developers are more security-aware and writing better code. He elaborated, saying, “The e-learning option allows our developers to dig deeper into the security issues. Topics such as sanitizing input, carefully configured logging output and other typical sources of vulnerabilities. We have a better understanding of the proper configuration of web servers and web proxies as well.”

On the flip side, a software architect at a computer software company has had the product for just two months, but already has some favorite features, including knowledge of how to write a secure application, like OWASP ASVS 4.0, that is spread across the web and gathered into one place. He shared, “This can save months of learning and search on your own.”

The application security engineer likes how the solution walks through a common scenario, as a developer inherits a codebase that has issues and has to figure out how to fix them. He said, “The platform helps guide the developer through the best way to accomplish this. Learning through a hands-on approach is very effective.”

He also believes that the hands-on learning approach allows developers to become more secure coders, which means they are less likely to add bugs to the software they are building. “This saves time and money in the long run, as the mindset of security is shifted left to earlier in the software development lifecycle.”

PeerSpot Users’ Most Valuable Features

The chief technology officer identified the Atlassian integration as Veracode’s most valuable aspect because it has helped manage their compliance paperwork in a more automated way. He also noted that many other security platforms either don't seem to have this feature or want an exorbitant amount of money to get it. He commented, “Automated integrations such as these make compliance much easier to track and maintain. Additionally, the integrations help with agile processes such as DevOps. We are able to schedule things like scan submissions to Veracode that aid in automatic, regular scanning of our web application.”

Cristobal R., a Principal Information Security Engineer at a tech services company, uses Veracode Security Labs as their primary security learning platform. He mentioned that the coding challenges were well put together and is happy to see some of the challenges even have a built-in web browser. “That made them very convenient,” he said.

When discussing his favorite feature, the financial service firm’s Application Security Engineer came back to the guided approach of walking the developer through the best way to fix the issues in the codebase. He commented that this approach is extremely effective at teaching developers the right way to implement security controls.

“Being able to view the codebase and edit it in order to remediate the vulnerabilities is extremely powerful. And the best part is that this is all within the web browser, so the developer doesn't have to install any development environments or download anything to work through the training,” he said.

It is possible to get developers more engaged in security. What’s required is the right toolset. Veracode users on Peerspot affirm that learning experiences created with developers in mind can make a big difference in AppSec outcomes.

Check out more reviews on PeerSpot and demo our Security Labs hands-on training tool.