Denim Group has been doing some research looking at the effectiveness of training developers on security via e-Learning and instructor-led training and John Dickson presented the initial results of this research at OWASP AppSecUSA 2013 and Security BSides San Francisco 2014.
You can see a video of his AppSecUSA 2013 presentation here:
And see the slides from Security BSides San Francisco 2014 here:
The abstract for the talk is:
Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program. Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard. Yet others call developer training “compliance-ware,” a necessary evil and a tax on software development in the enterprise.
This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements. The session also includes the results of a “retest” of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.
Training developers to write secure code can be a complicated issue and our hope at Denim Group is that releasing some of this data can help organizations craft cost-effective and impactful training programs. Contact us for more information about instructor-led training and e-Learning options.