Sep 19, 2016
Whilst generalised developer security training provides a baseline of security knowledge, it lacks the scope and depth necessary to cover each of most developer specialities.
Even if a course is comprehensive enough to cover a broad range of developer roles, many of the idiosyncrasies of each platform and language simply aren't relevant to developers with a different specialty.
In order to ensure your security training program is as effective and engaging as possible, it's essential to build upon the basic principles of application security, and implement role specific training. To help you choose the right security course for your team, we're looking at aspects of software development that require tailored security training - from the type of platform they develop for, and the programming language they use, through to the methodology employed by the whole development team.
Mobile security is an increasingly important part of software and application development. With a growing number of mobile platforms gaining mainstream acceptance, developers have two significant responsibilities: to ensure that their applications are both functional and secure across multiple platforms.
Both Android and iPhone operating systems handle application security in very different ways. Whilst Android's open development platform can increase the likelihood of a serious security vulnerability, the high levels of enterprise adoption of Apple's iOS means that common web application threats (like SQL injection and data-in-transit theft) can put extremely sensitive information at risk, and incur potentially catastrophic costs.
The same principles apply for Windows development - with developers requiring specific security training on topics like the Windows Authorisation Model and Microsoft's .NET framework.
Each programming language has a different set of uses, and a resulting set of potential vulnerabilities. A secure PHP developer will follow very different security practices to a secure developer using Java or C#. It's essential that your security training recognises these fundamental differences, and allows developers to improve their security knowledge of the language they specialise in.
Many developers have made the switch from waterfall-style processes to the more flexible style embodied by Agile. Unfortunately, many organisations make the change without recognising the inherently different security threats posed by the iterative nature of Agile.
Agile software developers need to be trained on the benefits of iterative testing, and should understand how to deploy a mixture of low, moderate and high frequency security tests throughout the software development lifecycle.
The latest variants of technology can provide developers with new tools for securing their projects, and introduce new security issues. Whenever developers are using relatively new technologies, it's important that they receive training on the best practices, and common vulnerabilities, of using it.
For example, HTML5 brings with it a new range of security features, including same-origin policy (SOP) and content security policy (CSP). These features have the potential to improve web application security, but only if developers are aware of these new features, and able to use them effectively.
SaaS, IaaS and PaaS (software, infrastructure and platform-as-a-service) models are growing in popularity, requiring developers to be familiar with the best practices of secure cloud development. This requires explicit training around the problems of Big Data and regulatory requirements, as well as the common problems associated with cloud technology (like insecure APIs and unauthorised account access).