Training developers on application security is critical to the success of every security program, but many companies deploy training improperly or insufficiently, argues Maria Loughlin, VP of Engineering at CA Veracode. Companies can increase the bang for their training buck by matching their training delivery and curriculum to the needs of their organization.
A successful program delivers training via multiple methods, embracing the benefits of each channel. For course-based training, there are plusses and minuses for in-person training and online training. For initial threat awareness and threat modeling sessions – where developers increase their awareness of "the pieces of your applications that can open the door to attackers" – Loughlin says that she "always recommends that the course be taught in person. Here we're trying to change a mindset, to get developers to think about security." That advice can change depending on the nature of the developers being trained. If the developers "are distributed across different time zones or need to fit the training in with unpredictable schedules," online has its place.
Hands-on training should also be included in the plan. Nothing, Loughlin said, beats the impact of the immediate feedback provided by secure code reviews. "Secure code reviews are a great opportunity. Every developer truly wants to write great code," Loughlin said. "And if they have secure code reviews, they are able to work with an expert and see some of the flaws from the code they have written. That provides an invaluable aha moment."
When it comes to content, a successful training program includes two distinct focus areas – technology training and role-specific training. Role-specific training focuses on the needs of key functions, such as architecture, quality, or compliance. Topics include security process guidance, such as designing or configuring for security, embedding security in a quality pipeline, and testing for compliance with external policies/regulations. Technology-oriented training applies security principles to the technologies in use by your team, for example programming language, and framework-specifics, as well as security for web, mobile, cloud, and Internet of Things (IoT) applications. Your training program should evolve as your technology changes. For example, adding a new programming language to a developer's plate should trigger a training refresh.
"Different programming languages have different idiosyncrasies. No one language is more secure than another. However, each has its own propensity for different vulnerability types," Loughlin said in a recent webcast. "If you're looking to introduce a new language into your organization, it's helpful to give the development team knowledge of how this particular language manages data, manages authentication, what is available and what are the risks."
A great security-training program also guides developers on translating theory into practice in your environment. Developers need to understand your company’s security policy, i.e., your tolerance for vulnerabilities, remediation guidelines, and standards for software license usage. Developers will be more effective when they have training on security-related technology that supports their work. This may include pre-approved frameworks, libraries, and templates, as well as security tools like vulnerability scans, software composition analysis, IDE integration, automation within CI/CD pipelines and static/dynamic analysis.
The key point Loughlin stressed is that enterprise companies expect their DevOps teams to deliver great functionality quickly and they commit resources and training to make that happen. However, a similar focus on security training has not happened, and the results are consistent, if not surprising. Developers continue to make the same mistakes year after year, creating similar security holes, despite the fact that training routinely delivers a sharp improvement in fix rates.
How sharp an improvement? Loughlin pointed to studies showing eLearning delivering a 19 percent improvement and remediation coaching sending fix rates soaring by 88 percent. "Every developer needs to understand AppSec principles of authentication and authorization, trust boundaries, validation and encoding, data protection, session management and threat modeling," Loughlin said, adding that something as simple as best practices can deliver a major improvement in fix rates. "Let's not have them reinvent the wheel."
Watch Maria Loughlin’s talk on security training here.