/apr 7, 2017

Give Developers Training That Actually Helps

By Pete Chestna

Do you have a security education program for your developers? I hope so. Although developers are certainly capable of writing quality, secure code, most were never trained in security. They just don't know what they don't know.

When I was actively developing enterprise software, I would visit the bookstore to purchase books on the technologies that I was using. These books were hundreds of pages long and cost about $60. In the end, there might be about 30-40 pages that I found useful. I was happy for those pages, but lamented the wasted time and cash for the stuff that didn't apply to me.

On-demand eLearning can suffer from the same drawback. For example, a secure Java coding course gives a great overview, but likely contains lessons and examples that do not apply to your developers. However, any great AppSec program will have some sort of on-demand eLearning program for developers. We have measured that teams using eLearning do remarkably better than teams that do not – seeing a 6x greater reduction in flaw density, according to our research for the latest State of Software Security report.

If you have a mature AppSec program, you can do even better. My definition of a mature AppSec program has several components:

1. A clearly defined and communicated security policy

2. Regular automated scans of the entire application

3. A way to aggregate security results

If you have these components already, then you are off to a great start. The next thing on your list should be to measure and track the most frequently introduced vulnerabilities, probably by CWE (Common Weakness Enumeration). This information will tell you exactly what your developers are struggling with. This metadata allows you to turn the blunt instrument of secure coding into the scalpel of a timely and entirely relevant learning lunch or instructor-led training session. Fill a room with pizzas and developers, and talk to them about a problem that they are currently struggling with. They will certainly pay closer attention to this specific help (in between bites of pizza).

Because you're regularly scanning, you can now measure the impact of your training on the teams you have helped. You should see a steady decrease in the number of those specific vulnerabilities over time. This ROI can be used to justify more expenditures for training. Lather, rinse, repeat.

Related Posts

By Pete Chestna

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers.

Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs.

Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface.