Dec 18, 2017
Security training is a crucial first step on the road to effective application security. Whilst the exact type and frequency of training required will vary from organisation to organisation, there are five basic tenets of security training that all organisations should implement.
1) Basic Security Awareness Training
Before your development team dive headlong into the best practices of threat modeling and defensive coding, it's essential to lay a foundation of basic security awareness. Security awareness is designed to give development teams a reason to engage in further security training: helping everyone to understand the risks their team faces, and the role they each play in minimising those risks. It helps demonstrate an organisation-wide commitment to security, and provides them with the language to effectively communicate with other teams (especially security and IT teams).
2) Threat Modeling
Vulnerabilities and threats are a fact of life for application development teams. To be able to take action against these problems, in an effective and cost-effective way, it's essential for managers and architects to be able to evaluate and prioritise the risks facing the development team.With limited time to remediate problems, development teams need a defined process for determining where to allocate resources. Threat modeling will teach your team to:
- Decompose applications, identifying entry points, valuable assets, trust levels and external dependencies.
- Identify and rank threats.
- Identify and enact suitable countermeasures.
3) Defensive Coding
The sooner vulnerabilities can be detected, the easier they are to remediate, and the cheaper they are to fix. By teaching developers the best practices of secure coding, your organisation can reduce vulnerabilities at the source - reducing the mistakes and loopholes making it into finished code.With so many development specialities existing, from different languages to specific environments, it's essential for developer security training to be role-specific - offering customised training to developers specialising in C/C++, .NET, Java, .PHP, cloud environments and so on.
4) Compliance Training
Compliance is a growing problem for organisations. As new security standards are created and revised on an increasingly frequent basis, it becomes extremely difficult for organisations to effectively protect sensitive data, abide by the rules, and prove to regulating bodies that they're doing so. As a result, it's important to use dedicated compliance training to ensure that key professionals understand the implications of common standards like HIPAA and PCI DSS.
5) Security Software Training
Security tools play an essential role in reducing vulnerabilities and improving application security - but they aren't a panacea. Without a way to train software engineers to effectively use code and web scanners, it'll be almost impossible to identify and fix vulnerabilities. Results will be hard to interpret, and riddled with false positives. At best, you'll be overwhelmed by remediation requests, and at worst, you'll be lulled into a false sense of security, unable to identify the vulnerabilities putting your organisation at risk. The end result? Your latest security investment will end up relegated to the status of shelfware..