OneLogin Improves Its Developer Security Training Program With Veracode Security Labs

The Challenge

Identity and access providers, like OneLogin, manage user access to applications to ensure that non-authorized users cannot access sensitive information. When customers select an IAM, their main priority is security. “Is the provider’s platform safe? Will my applications be safe?”

To be competitive in the market and ensure that it’s offering clients a secure platform, OneLogin was challenged with training its developers in secure coding best practices. “OneLogin had application security solutions in place,” said Jim Hebert, Staff Application Security Engineer at OneLogin. “But we needed a comprehensive training program to ensure that new developers had the skills needed to write secure code and remediate vulnerabilities.”

The Solution

Hebert, new to OneLogin, was tasked with creating the new developer training program. He had created video lesson plans for OneLogin’s learning management system but was thrilled to hear that OneLogin had a license to Veracode Security Labs (formerly known as “Hunter2”). Although he had never used Security Labs, he was familiar with the hands-on-keyboard training tool. “There is no better way to learn about secure coding best practices than through actual experience. With Veracode Security Labs, developers get examples of vulnerabilities in real code in their chosen language. It’s so much more realistic than just buying a generic training program off the shelf,” said Hebert.

The Results

Since making Veracode Security Labs a mandatory part of new developer training, there has been a noticeably heightened interest in security. “Developers are much more engaged in security now that Security Labs is part of their training,” said Hebert. “We recently purchased a third-party application and – without even being asked – developers took time out of their busy schedules to test the application for vulnerabilities. And it’s a good thing they did because we identified several potentially dangerous security flaws.” In fact, the secure code training program is going so well that the Chief Technology Officer recently decided to make the training mandatory for all developers, not just new hires

Success Story: OneLogin

The mandatory security training is essentially the video lesson plans created by Hebert, along with the accompanying lab exercises. Training is not all crammed into one day. It is self-paced so developers can tune in when they have free time. Vijay Shrenikraj, Senior Software Engineer at OneLogin, loves the self-paced approach to security training because it allows him to revisit topics or labs for further clarification. “I really like how each exercise focuses on just one thing,” said Shrenikraj. “It allows me to learn about a topic – whether the topic is new, or I just want more information – and understand the exact problem at hand.”

Best of all, the security training has helped reduce the number of code defects introduced during development. As Jake Reichert, Director of Engineering at OneLogin explained, “As a senior technology leader, it is challenging to move employees from a theoretical understanding of secure software development to the actual practice of it. Veracode helps bridge this gap by walking engineers through actual code examples in a language of their choice to show the specific point at which a vulnerability is introduced and what they need to do to cure the defect.” And by giving engineers hands-on practice writing secure code during training, “Veracode has significantly reduced the number of defects introduced during the development process and has ingrained security best practices as a primary pillar of creating production- quality code.”

Going forward, OneLogin plans to continue using and expanding on its existing training program by adding additional videos and labs. Security and engineering leaders, like Jim Hebert and Jake Reichert, are confident in their developers’ secure coding skills and confident that, with the continued use of Veracode Security Labs, OneLogin can offer customers a secure, best- in-class, trusted experience platform.