16 Nov, 2020

6 Ways To Make Your DevSec Training Stick In Your Employee's Mind

by nVisium

Poor employee training has been well documented to cost companies significantly in reduced productivity as well as actual hard budget in mistakes and having great employees leave. This problem is even more magnified in the development organization where poor training can not only cost internal budget but may result in an IT security breach that will have an even bigger negative impact.

Why DevSec Training Doesn't Stick

DevSec Training is a need to have in today’s world where cyber criminals and hackers work tirelessly to find even the smallest of codded vulnerability. What separates bad training from good will be the difference between those organizations that succeed and those that don’t.

A blog entitled “Challenges of Employee Training: Why Training Doesn’t Stick” offers these 5 reasons that training doesn’t stick with employees:

  1. They need to understand the purpose of the training and its relevance to what they do: Trainees who understand the need for the training and why it applies to them are more likely to buy in to the training.
  2. Don’t waste their time: If the training only needs 1 hour, then schedule it for 1 hour. If it needs 8 hours, don’t try to squeeze it into 6.
  3. Engage them: Mentally engaged employees retain more, and transfer training to their work better.
  4. Apply it to what they do: The biggest pitfall in training, and learning in general, is to only cover things at a general level. But how else will you make the training apply to all the different jobs and departments that are present in the training? You don’t.
  5. Training doesn’t end when the session is over: No one learns anything perfectly in one session. Most people will forget more than 80% of what they just heard and learned within 24 hours. Training is not a one and done formula; it requires follow up, repetition, ongoing discussions and training.

Recognize that developers have already gone through years of training to learn their craft, so they will come with a set of very high expectations in order to keep their attention.

6 Ways To Make DevSec Training Stick

Obviously, any training that isn’t put into practice immediately and on an ongoing and consistent manner is all for naught. Because there seems no end to the amount of available poorly done DevSec training, it brings us to a discussion on what characteristics should be evaluated to ensure it is actually effective. Here are 6 characteristics that have been found to help make DevSec Training stick:

  1. Real Development Environment: When training requires each student to find and fix every vulnerability within a testing application to pass the course, it sets up a real-world scenario that being familiar will drive deeper engagement.
  2. Language Specific: It should go without saying that when the training is in the specific language the developer is using, the lessons stick, but unfortunately too often training modules may only use one language as an example and expect the developer to translate that into their required development language.
  3. Self-Evaluation: Students can test their code locally to ensure it will pass our grading system
  4. Instant Feedback Process: Students will receive their results in a few minutes or less after submitted their code.
  5. Gamification: Wired magazine reported “Gamification is a creative and cost-effective approach to foster team engagement and realize knowledge-based economies of scale.”
  6. Ease of Management: When management can review students’ test results it gives them the ability to implement ongoing development plans which will be critical to long term success.

Ultimately, to be effective, DevSec Training courses should contain real-world, language-specific content and focus on how to discover and remediate security vulnerabilities across different technology stacks.

So, selecting the right partner to assist with your DevSec training will be the first step to ensuring the lessons stick and the most current techniques become adopted as best practices by your developers.

DevSec Mentor Streamlines Training

nVisium focuses on training that is designed to teach developers how to write secure code and identify flaws in their own software. Designed to allow flexibility, a hybrid approach of training material, hands-on application, and consulting will be utilized to maximize the training experience during the engagement.

nVisium’s DevSec Mentor is intended to replace antiquated training methods such as generic CBTs (computer-based training), where students watch videos and answer multiple choice questions. nVisium has developed a reputation for offering the most in-depth and engaging instructor-led training for its clients. The online version of our training is an extension of this expertise, knowledge, and training style. Courses focus on demonstrating how application security vulnerabilities manifest in various languages and frameworks using real-world code examples. In order to pass each course, students must find and fix all of the vulnerabilities in the code, demonstrating their engagement and critical thinking skills.

One of the more difficult issues with training is demonstrating the real-world impact of a specific vulnerability. nVisium uses games to teach developers and information security professionals to think like hackers by launching real-world attacks against applications and seeing the impact of these attacks as they land against other teams in the event. Depending on the style of game requested, defensive players may then implement fixes, and watch attacks fail in real time. nVisium’s DevSec Mentor covers Java, .NET, Python, iOS – Swift and Objective C, Android – Java and Kotlin, and Go, with more coming soon. Additionally, the content is engaging and aligns with the OWASP Top 10 as well as meet PCI-DSS requirements.

Now is the time to ensure your DevSec Training actually sticks and to train your developers with the latest security tips and techniques to ensure their skills are up to standards in a post-COVID-19 world.   Schedule a demo today.

software security devops security OWASP Top 10

You might also like:

Get Security Assessment Tips Delivered to your inbox