Jun 25, 2015
Many organisations embark on a program of software developer training with the best of intentions. They invest into training courses, workshops and security tools, and expect their investment to realise a rapid and noticeable improvement in security.Unfortunately, there are four major barriers to rolling out effective developer training. To help your organisation avoid the pitfalls of failed training, we’re taking a look at these four problems, and showing you exactly how to overcome them.
1) There’s No Senior Management Imperative
Securing an executive mandate is a crucial step in enforcing developer security training, and highlighting the organisation’s cultural shift towards secure practices. Without it, it’ll be extremely difficult to encourage the uptake of training courses, and even harder to communicate the value of the program to key decision makers.In order to achieve visible buy-in and support from senior management, it’s essential to frame developer training in a way management can appreciate. Thankfully, modern developer security training is actually a relatively easy sell.With a host of reporting tools built-in to computer-based training, it’s easier than ever to generate insightful management reports. At the click of a button, senior execs will be able to track the efficacy of their training roll out, and monitor the pass and fail rates of their development team.Periodic benchmarking makes it possible to monitor training’s impact on the number of vulnerabilities picked up by security tools. As training progresses, fewer and fewer defects will make it into test, making it easier to remediate crucial vulnerabilities, and cheaper to do so. By reducing vulnerabilities early in the software development lifecycle, training can be shown to offer a clear cost saving, and a huge reduction in the organisation’s risk.
2) Training is Security-Led, Not Developer-Led
When planning a security program, most organisations will turn to their in-house security team to help shape it. Crucially though, security teams are already security experts. It’s the developers who need security training, and the developers who’ll be taking the training courses – so it’s far more effective to create a developer-lead training course.Training needs to:
Fit Around Developer Projects
Training needs to acknowledge a developer’s existing commitments and ongoing projects. Security training courses will often interfere with a developer’s primary goals of creating functionality-rich code, on-time and on-budget. As a result, training time needs to be explicitly blocked-off in a developer’s project plan, in a way that doesn’t interfere with their existing commitments.
The easiest way to achieve that is with eLearning courses. Their flexible nature makes it possible to engage developers on their own terms, allowing them to complete training at their own convenience, in short 2-3 hours blocks. There’s no need to take whole days away from their current project (like most instructor-led courses demand), making it easier for developers to voluntarily engage with the syllabus.
Vulnerabilities come from insecure code, so training needs to be tailored to the needs and specialities of developers. Different languages, development methodologies and platforms will require different forms of training, so it’s essential to talk to your developers about the type of training they require.
3) Developer Training Isn’t Ongoing
Some organisations believe that a single training course should be enough to completely change a developer’s approach to security. They invest into a single course, and force all of their developers to undertake it – regardless of its relevance to their specific role. They then test for vulnerabilities, and when (surprise surprise) the course hasn’t had a noticeable impact, they decide to scrap their entire training program.Most developers have decades of experience behind them, and putting security at the forefront of their development practices means completely changing their underlying habits and behaviours. In order to achieve that, developer training needs to be an ongoing process.Devs need access to a curriculum of courses, each tailored to their individual role. This needs to be reinforced by regular testing, and backed-up by access to a repository of security information.
4) Security Has a Bad Reputation
Any of the above problems can negatively impact the roll out of a developer training program. In organisations where this has happened, this can create a vicious cycle – where each successive failure damages security’s reputation, and makes the organisation more resistant to further security measures. This can be worsened by friction between developer and security teams, and the presence of costly shelfware.Thankfully, this can be halted by created by addressing the major issues detailed here, and striving to develop organisation-wide security awareness. Security isn’t just the responsibility of a single team, and in order to create an effective developer training program, all team members (from junior developers to senior managers) need to understand the importance of security, and their role in achieving it.