Jan 16, 2017
It can be hard for developers to prioritise security, so to make training as effective and engaging as possible, we’re looking at 8 ways to enforce developer security training.
1) Set an Executive Mandate for Security Training
Any developer training program has to start with a mandate from the company’s senior executives. This top-down approach ensures that security training has obvious buy-in from management, and helps developers understand that completion of the course is a priority.
Mandatory training will see high take-up from developers, and the clear message it sends can also improve take-up of non-mandatory courses. It’s possible for large organisations to achieve 100% take-up with mandatory security training, and in many cases, we've seen subsequent non-mandatory courses see a similarly stellar adoption rate of 80%+.
2) Set a Time-Frame for Completion
Training courses should have a clear and strict time-frame for completion. Whilst its important to accommodate the day-to-day workloads of development teams, mandatory training needs to have an appropriate time-frame to reflect its priority status. For some organisations, 3-months is a good benchmark for the completion of essential training, and 6-months for more role-specific training.
3) Monitor Important Management Metrics
With an executive mandate for training, it’s crucial for managers to be able to monitor developer adherence. Thankfully, most computer-based security training programs have in-built management tools. You can identify who’s started the course, and who’s completed it – and it becomes easy to send a friendly reminder email to any developers yet to enroll.
4) Share Developer Metrics
Developer performance is often gauged by the number of vulnerabilities and bugs that make it into a finished product. By allowing development teams to access these types of metrics, both before and after completion of a security training program, developers will be able to gauge their own performance, compare it to their peers, and see how security training has translated into improved code.
5) Create an Organisation-Wide Security Information Resource
Without a way to periodically brush-up on their security training, it can be difficult for developers to remember the lessons learned from their training, and effectively incorporate them into their day-to-day activities.
It’s a great idea to develop an organisation-wide resource of security information, to allow developers access to security resources, and ways to cross-check individual use cases. If a developer is concerned that a piece of code may be vulnerable to cross-site scripting (XSS), they need to be able to quickly identify and act upon any problems.
6) Recognise and Reward Secure Developers
Whilst it’s important to monitor overall pass-rates for the entire organisation, it’s also a great idea to recognise and reward developers for their performance. A pass/fail exam at the end of a training program offers a good way to identify developers with a good understanding of important security concepts – and offer some form of recognition for their efforts. In many cases, it can also incentivise improved performance, as developers try and out-perform their colleagues.
7) Choose Software Security Champions
Developers that perform exceptionally well can even become ‘software security champions’ – security experts that can be embedded into development teams to improve application security on individual projects.
8) Create a Security Training Curriculum
Security training should help organisations develop a secure culture, and encourage its participants to become pro-active, security-conscious developers. A single one-off course isn’t enough to achieve organisation-wide security awareness – and in order to meaningfully change developer behaviour, it’s essential to develop a curriculum of security training.
To get the most out of security training, it’s a great idea to develop a program of 4-5 courses. In addition to foundational training for all employees, it’s crucial to incorporate team- and role-specific training to match the skills and specialities of your developers. It’s this type of training that helps developers see the real value of security training – and by reinforcing its importance, through company-wide buy-in, it’s possible for all organisations to improve compliance.