Shelfware (purchased software that quickly ends up shelved and unused) is a huge problem for large organisations, especially those attempting to rollout security programs.
In order to overcome the hurdle of shelfware, and ensure that your next security investment translates into meaningful security improvements, it’s vital to understand the relationship between application security tools, and developer security training.
How Security Tools Become Shelfware
Over the last decade, the software industry has been inundated by security consultants pushing organisations towards investment in the latest-and-greatest security tools, with the purpose of creating visibility down to the line of code. On paper, these tools allow organisations to quickly identify, prioritise and remediate security vulnerabilities – but in practice, most security tools end up gathering dust.
The issue usually stems from a one-sided investment into security – prioritising the purchasing of security tools without any investment into training. This causes three issues:
Developers Can’t Use the Software
Any piece of complicated software requires some form of dedicated training to use it effectively. Many organisations neglect this aspect of rollout. With developers working to extremely busy schedules, it’s unlikely they’ll find the time to seek-out training of their own volition.
Developers Don’t Understand Vulnerabilities
Without any form of developer security training, most devs won’t understand the results outputted by the security tool. Even if the tool can identify a potential cross-site scripting vulnerability, if the developer doesn’t understand the concept, and how to remediate it, the tool won’t have any impact on security.
Developers Don’t Trust the Software
This problem is often exacerbated by the tendency of most software tools to generate obvious false positives. Similarly, without the knowledge and expertise to differentiate between less obvious false positives and genuine security vulnerabilities, developers may find it hard to trust the validity of the tool – especially when it identifies their own mitigating rules as potential vulnerabilities.
Each of these problems means that developers can’t see any benefit to using the tool, and the software quickly ends up as shelfware. Even if we factor out the costs of purchasing the software, the organisation then finds itself in a position worse than before; operating under the false assumption that its development teams have improved security visibility.
How to Roll-Out Effective Security Tools
Thankfully, the root cause of shelfware is simple: both static and dynamic application security tools (SAST and DAST) are difficult to use without any security knowledge. Implementing a cost-effective developer training program, alongside the rollout of a new software tool, will have a massive impact on the efficacy and benefit of the tool (and the organisation’s security).
There are two primary aspects to effective developer security training:
Role-Specific eLearning Courses
Software developers have a broad range of skill sets, specialities and responsibilities. In order for security training to engage them in an effective way, and improve their ability to use security software tools, it’s essential to roll out training in a form that aligns with developers’ existing responsibilities. A role-specific eLearning course allows organisations to tailor training to a developer’s specific needs, and helps developers take on training in a way that doesn’t impact their existing project work and commitments.
A Security Knowledge Repository
Software security is a complicated and evolving field. Developers need access to a central database of constantly updated information, allowing them to double-check vulnerabilities and potential solutions as-and-when security tools identify them. As well as allowing devs to periodically refresh their security knowledge, this can help encourage a secure culture of self-motivated development.