I’ve had the opportunity to work with a number of firms training their developers in secure development techniques. Obviously the quality of the training content and the trainer is key – especially for a topic area such as application security where you are trying to give students the ability to think on their feet (or at the keyboard or whiteboard or whatever). However there are also other things organizations can do to make sure they get the most out of the money and time they spend on training that rely on how they promote and follow up after the training and have less to do with the training provider. Here are some tips from my experiences:
1. Provide context for the training – One firm we worked with did an obviously poor job of letting developers know what the training class was for and why they were receiving the training. The class was advertised to attendees as “PCI Training” when it was actually secure development training being undertaken in part to meet PCI requirements. At the beginning of the class when I asked one of the attendees why he was there he said “the only reason I am here is because my boss said I had to be” If the attendees know more about what they are learning and how it fits into their jobs they will retain more of the information and providing this context and setting expectations has to happen before the trainer sets foot on site.
2. Use the right tool for the job – eLearning is great for making sure everyone has a baseline of knowledge and for dealing with employee turnover, but for the people you really want to be the “go-to” security mavens it is really valuable to give them an opportunity to interact with an instructor. Firms that rely solely on eLearning run the risk of not developing this leader-class of security-smart developers who can act as internal resources. And most firms can’t afford the money and time to run every developer through extensive classroom training. A blended approach helps to address the need for baselining knowledge as well as the need to develop some internal security superstars. We have used this approach successfully with a number of firms.
3. Don’t train developers and then declare victory – Just because developers know what they should do doesn’t mean they will actually do it. We have seen this repeatedly – an organization runs a training class or two and then is shocked when their next round of external testing still identifies new vulnerabilities. Training is one aspect of a overall software security program but so is threat modeling, code review, penetration testing and so on. Look to resources such as the Software Assurance Maturity Model (OpenSAMM) for more information on the variety of practices and checkpoints leading organizations use when constructing their assurance programs. Training done in a vacuum runs the risk of not actually changing behavior.
4. Demonstrate that management cares about developing secure software – Another firm we worked with had us start out every training class with two videos. One was from the CIO and the other was from the head of application development, and both of them carried the message “Protecting customer information keeps me up at night. We have to do it well to earn our customers’ trust and if we do it poorly it will seriously damage our relationship with them.” As mentioned above – letting the attendees know that management cares about the outcome of the class beyond just being able to check a compliance box is key if you want attendees to pay attention and retain the material. These videos got attendees’ attention right from the outset.
Training is an important part of any software security program. Hopefully by following these tips folks can get more value out of their time and effort they are putting into training their developers.
Contact us for more information on instructor-led training and eLearning for teaching developers how to build secure applications.
dan _at_ denimgroup.com