AppSec training: What works and what doesn't
Application security training should be a no-brainer for developers—they’re the professionals that write and code applications. But although companies are increasingly investing in application security tools and testing, developer training is often overlooked.
Understanding security at the start of building an app can mean the difference between software that’s developed without frustrating bugs and vulnerabilities, and apps that have to be sent back for work because the security team deems them unsecure. Developers who understand security in AppSec are a win-win for everyone.
What are some best practices for AppSec training for developers? Read on to get a rundown of what works and what doesn’t.
Train a champion first. If you want to launch a successful AppSec training program, start by training an internal security champion.
“We find a champions program is very effective for training,” said Drew Thompson, instructor-led training practice director at Synopsys. “It gives champions ownership of the security process and gives their development team a single point of contact for security-related concerns and a direct line of communication to the security group.”
How do you find someone to serve as a champion among your developers? Look for developers who express an interest in expanding their security knowledge.
“We want to steep champions and developers in security over time,” Thompson said. “A training plane will build on the previous courses. An example may be to start with an introduction to software security. Then move into a course on the OWASP Top 10. Then, to expose developers to the offensive side of software security, we would have them take a course like attacking web applications. Offensive courses give developers some experience doing the hacking themselves. Early training makes security real for them. Software vulnerabilities are often not something they have directly interacted with before, and this helps it hit home.”
Build customized courses. Thompson also recommended customizing material for the problems developers might face.
“If the training content is relevant to the development team, it’s more effective,” he said. “It’s not just some words on a page or an industry best practice. They will be learning about vulnerabilities and remediation that they have found to exist in their software. Then when the course moves into the lab environments, the students can imagine the lab results in the context of their own software.”
You should also customize curriculum based on skilled level. Training for learners just starting will be different than for an experienced developer who wants to obtain more-advanced skills.
Make training role-based. Effective training is tailored to specific roles, according to Brendan Sheairs, managing consultant with the Synopsys Software Integrity Group.
“Role-based training is important,” he said. “When the security training is applicable to their job, it makes it easier to help them understand why these security issues relate to their role.”
Get hands-on. Sheairs also advocates for hands-on training.
“Training where they can do a lab or exercise reinforces the lesson. Through these activities they gain an intimate knowledge of the concept. It’s more engaging. We all went through labs in college. These concepts are easier to understand when you have a tactile touch with them,” Sheairs said.
Offer incentives. Give developers who complete training or accomplish certain criteria rewards for their work. It could be a gift card, a free meal, or other fun items that acknowledge the time spent learning AppSec.
“Sometimes it’s as simple as stickers for their laptop that reveal a level of security knowledge,” Thompson said. “For many, it’s really a point of pride to have the credibility among their peers.”
Make it flexible. In some instances, developers may need to fit the training into an already busy schedule. Make sure they have options to take training anywhere, whenever possible. E-learning courses allow developers to participate in security training when they have time.
What doesn’t work
What techniques will leave developers bored and unmotivated to learn? Avoid the following mistakes when crafting a training program.
Biting off more than appropriate. “Keep things relevant to where developers are in their knowledge,” Sheairs said. “You want to meet them where they’re at and ensure the training is relevant and understandable to them. Trying to put people in training beyond their skillset will backfire.”
Check-the-box activities. “We all have to train periodically on certain things. But if we are simply looking to check that box, it isn’t going to be effective,” Thompson said.
Long training schedules. “We used to try and target eight hours on courses,” Thompson recalled. “I have pushed course owners away from that now.”
Instead of a long training session, Thompson advises course owners to think about a topic, such as container security, and what needs to be covered for developers to effectively integrate security into the topic. Show developers you value their time by offering courses that don’t take hours to complete. It’s a bit like learning something new from YouTube. When your search returns multiple options, you’re likely to pick a shorter video that gets to the meat quickly, lets you learn the tidbit you needed, and then move into practice. This style of learning is the expectation, and effective training needs to accommodate that style.
ACTION ITEM: What works with your AppSec training program? Leave a comment below to share.
ALSO: What are the metrics involved in a Champions Program?