When searching through the security headlines, many businesses and IT leaders realize the importance of keeping their systems safe. They know that training software developers is a key part of preventing the kinds of attacks and breaches that make the headlines. Customer data and company revenue are at stake.
However, training software developers can be a challenge in itself. How frequently do developers get trained? What is the format? And most important, how do you know whether training is effective? What is the definition of “effective” training, anyway?
To get some insight on this topic, we talked to Naomi Buckwalter, Information Security Manager at Energage, to get an expert’s opinion on how developer training should be given and how security culture should be nurtured.
Top 3 takeaways
- More and more expectations are being put onto the developers’ shoulders. It up to the security team to lighten the load and enable developers to do their best work, which means writing secure code.
- Effective developer training produces results. Two results you should achieve are developers releasing more secure code as a result of your training and how many developers are passionate advocates of application security.
- Companies often overlook how training fits into building a strong security culture among development teams. It’s important to give developers actionable steps and the tools necessary to apply what they learn in training to their everyday work. Companies also should make security worth something, even giving rewards (aka cash) when certain security milestones are hit.
Without further ado, check out Naomi’s awesome advice down below.
What impact has the changing landscape of security had on the roles and responsibilities of developers?
Naomi: Good idea or not, developers nowadays are tasked to do it all – develop, test, configure, secure – there are rarely any individual developers out there that are tasked to do only one slice of the SDLC. That means that developers have a lot to do! Keep the lights on, make the business happy, and now we’re asking them to produce secure code on top of it all! Developers are busy people! It’s the security team’s job to enable them to do their best work – and remember, “good” code means “secure” code.
In your opinion, what are the characteristics of effective developer training?
Naomi: Well, the most obvious quantifiable characteristic that comes to mind is “Are developers releasing more secure code as a result of developer training, or are the number and severity of security bugs largely unchanged?” The more effective developer training is, as the logic goes – the fewer new security bugs would be released into production. If you don’t see a positive change in the number of security bugs, however, you know you have a problem.
How do you measure effectiveness of developer training when it comes to secure coding concepts?
Naomi: One of my all-time favorite measurements of effective developer training is “How many of your developers are passionate advocates of application security?” Do your developers proactively reach out to fellow developers to help with security code reviews or security architecture discussions? Do your developers follow security news and play with security tools? Are they part of the “security army” that helps protect the company? After all, a good developer will care about the quality of their code, and code isn’t “good” unless it’s secure!
What do you feel are the most overlooked aspects of security training?
Naomi: I’d definitely say that security training is not a “one and done” kind of deal. You can’t just “check the box” with security training and do it once a year or once every few months; security training is truly most effective when it’s a front-and-center, tapping-on-your-shoulder, dashboards-and-metrics kind of thing. Tie security metrics back into code quality. Make developers accountable for the quality and security of their code. Heck, you can even tie security metrics back to bonuses. “No new security vulnerabilities in the past five sprints? Hooray, you all get $250!” Make security WORTH something.
What do most people or companies get wrong with security training?
Naomi: I’d say companies don’t tie security training back to actionable steps for developers. For example, a developer gets sent on a week-long course for security training, but then gets back into the office and – nothing. No tools to help with writing or testing code; no new procedures or policies to help manage vulnerabilities; no help from product owners and project managers to escalate the priority of fixing security vulnerabilities. The developer goes back to what they were doing originally, and nothing really changes. Security training is just the first step in building a strong security mindset, or security culture, within the development team. Give them the knowledge, but also give them the tools. With enough time, support, and opportunity, your developers will build their application security “muscle” and really do great things.