03 Aug, 2020

Development Training The Secure Way

by nVisium

Even the best athletes need a coach to maximize their performance, so it is not a far stretch to believe that having a development coach for your software engineering team would push them to great levels. Not just in productivity and performance, but in ensuring everything developed is also secure and the likelihood for cybercriminals to breach is minimized.

development training is a "need to have"

Whether you wish to acknowledge it or not, your development teams are akin to an athletic team. They have to work together in a coordinated manner towards a singular goal while relying on each individual to uphold their specialty. In the case of software development, the end result is delivery of production-ready code within specific budget and timeframes while also not opening the company to other vulnerabilities (i.e. security breaches).

Security is a “need to have” in every organization that cares if their information assets are at risk for loss or damage. So, it stands to reason that as you develop code, you should be aware of the latest and greatest security vulnerabilities and coding best practices to maximize security principals throughout the development process. This is why development training is a “need to have” in today’s world.

Very few people will argue against the benefits of training. Done well, training helps us improve how we do our jobs. Unfortunately, done poorly it can break the spirit of even the most motivated of teams. Most discussions about which styles of training are most beneficial and which are not are a complete waste of time. While people talk about learning techniques and how to get students to retain more knowledge and complete training courses with more practical benefits that are measurable in the real world, none of that matters if no one shows up for the training. Bottomline, if you can’t get your students to engage in the training, it’s just a waste of everyone’s time.


how to make it engaging

It may be a blatant statement of the obvious, but still has to be said: the only effective training is one that the students are engaged in, to the point of immersion. While there are a number of strategies that can be employed to convey this importance to the prospective students, here are three critical success factors that should be accounted for:

  1. Gamification: Gamification is very popular today that’s to mobile apps and can get competitive juices flowing in even the most conservative organizations. The training you select may or may not lend itself to gamification, but if it’s designed with gamification in mind, then it’s easier to pursue this strategy. Multiple levels of gamification that can be used: from primary challenges with badging and scores to more integration with challenges, social network sharing (internal or external), personalization, and individual leaderboards. Whether or not you deploy this engagement strategy has a lot to do with your organizational culture but can deliver huge jump in success if done properly.

  2. Team and/or Leader Dashboards: How do you know if you are winning or losing if you don’t keep score? For training that means building out dashboards are typically built to align with organizational/team structure and highlight specific leadership milestones. They should roll up to a logical level of management, usually the developer’s manager and the next level or two depending on the size of the organization. It is also beneficial to group students by three or four progress levels depending on the type of training course they are taking. For example, you could use ranges like 0-33%, 34-66%, 67-99%, and 100% completed or more general terms like Registered, Coding, and Completed.

    If managed well, these dashboards can help drive a little friendly competition between members of management to help encourage prioritization of training (see Gamification above). Dashboards can also stimulate discussions about the training between developers and their management which can improve the understanding and support for secure development practices within your organization.

  3. Performance Requirements: Performance Requirements are the more traditional way of handling activities that are considered mandatory and not something employees normally do voluntarily. It’s directly tying a reward or punishment to their efforts. Sometimes this is coupled with the team/leader dashboards, and sometimes it’s deemed enough on its own. While this strategy generally ensures that targeted students actually complete the training, without management support and encouragement outside of “do it or else,” information retention and overall feedback on the training will likely be tainted heavily in the negative regardless of the quality of the course or courses.

Ultimately, training is only effective when the employee takes it seriously. In most organizations employees will focus on what their manager/boss/supervisor guides them as being an important daily focus. If you as a leader do not make a point to let your people know that training is essential, then expect minimal engagement. In turn, if you as a leader will also seek prioritization guidance from the leadership above all the way to the top of the organizational chain, then the entire team will embrace it whole-heartedly.

what else you should know

The only way to know if you are successful or not is to measure the benefits and improvements generated by the training in your code base. While traditional pre-test/post-test and knowledge-based multiple-choice quizzes will give you some insight, they don’t necessarily correlate to actual security improvements in your code base. You should be identifying measurements like the number of vulnerabilities per build/release or similar metrics that are pre-release and post-release. Find or build a consistent, repeatable process, that enables you to gather solid metrics for a baseline. Then, as teams complete the training, monitor the results for statistically significant changes in the numbers. Be aware that this may take several months to a year, but the benefits gained will last a lifetime.

 

nVisium’s DevSec Mentor training platform was created with the intension of replacing outdated teaching methods such as CBTs (Computer-Based Training), instead providing an in-depth and engaging online training experience. Training focuses on how application security vulnerabilities manifest, requiring participants to find and remediate high risk code in order to progress.

One of the more difficult issues with training is demonstrating the real-world impact of a specific vulnerability. nVisium uses games to teach developers and information security professionals to think like hackers by launching real-world attacks against applications and seeing the impact of these attacks as they land against other teams in the event. Depending on the style of game requested, defensive players may then implement fixes, and watch attacks fail in real time.

Just remember that software security is a long game and while there are some quick wins you can realize; the most significant gains will be the long term cultural changes that may even stretch generationally.   Schedule a consultation today to see how it’s done.

 

software developer DevSec Training secure development

RECENT POSTS