Another 2021 New Year’s Resolution should be to take a hard look at your current software engineer training regime. Do you even have one formalized? Do you ensure your developers refresh their skills yearly and update to current best practices? Do you know what it will cost your organization if something is miscoded or a potential security hole gets codded in?
Software Engineers Need Training
Whether we care to acknowledge it or not, the weakest link in any IT security strategy is the developer who wrote the code to the applications you use. A TechBeacon article titled “Security liability is coming for software: Is your engineering team ready?” reported:
“Software engineers have largely failed at security. Even with the move toward more agile development and DevOps, vulnerabilities continue to take off. More than 10,000 issues will be reported to the Common Vulnerabilities and Exposures project this year.
Things have been this way for decades, but the status quo might soon be rocked as software takes an increasingly starring role in an expanding range of products whose failure could result in bodily harm and even death.”
And went on to say:
“Anything less than such a threat might not be able to budge software engineers into taking greater security precautions. While agile and DevOps are belatedly taking on the problems of creating secure software, the original Agile Manifesto did not acknowledge the threat of vulnerabilities as a problem, but focused on ‘working software [as] the primary measure of progress.’”Effective programs focus on training that is designed to teach developers how to write secure code and identify flaws in their own software. Designed to allow flexibility, a hybrid approach of training material, hands-on application, and consulting should be utilized to maximize the training experience during the engagement.
DevSec Training Is A Specific Discipline
You should look to perform training with the goal of increasing your attendees’ security knowledge of application security. The end result should be to help them understand exactly how this information relates to their job and why it is important to their organization.
Instructor-led: provide a more personalized approach to training and should:
- Train attendees on language specific application security concepts
- Teach the team how to implement tools and techniques for evaluating the security of a language specific application
- Discuss real-world examples of insecure language specific application failures and fixes
- Answer questions and provide recommendations for implementing language specific application security in client’s environment
Online: provide an online alternative to instructor-led training and uses an interactive grading engine. Done well, the content will be engaging, language-specific, and align with the OWASP Top 10. Before selecting an online course, you should also check that it meets PCI-DSS requirements. Effective online courses targeted to DevSec should also provide:
- A Real Development Environment: Each student should have to find and fix every vulnerability within a testing application to pass the course
- A Self-Evaluation: Students should be able to test their code locally to ensure it will pass a set grading system
- An Instant Feedback Process: Students should receive their results in a few minutes or less after submitting their code
- Ease of Management: An organization sshould be able to review students’ test results through so form of online portal
Selecting the right vendor to help will be an exercise in cultural fit and proven experience with firms that match your profile.
DevSec Mentoring Made Easy
Ultimately you will need secure development training and application security testing training that gives your team an edge and makes building security in more efficient across your enterprise. You will need to look for language, framework, operating system, and cloud provider specific training to guide your team towards a secure core and foundation for security in order to be effective.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
nVisium’s DevSec Mentor training platform was created to replace outdated teaching methods such as CBTs (Computer-Based Training) by providing an in-depth and engaging online training experience. Our training focuses on how application security vulnerabilities manifest and requires participants to find and remediate high risk code in order to progress in a game-like setting. We also offer instructor-led programs for those who prefer a more personalize touch.
One of the more difficult issues with training is demonstrating the real-world impact of a specific vulnerability. nVisium uses games to teach developers and information security professionals to think like hackers by launching real-world attacks against applications and seeing the impact of these attacks as they land against other teams in the event. Depending on the style of game requested, defensive players may then implement fixes, and watch attacks fail in real time.
Give us a call when you start your are ready to renew your software engineering security training or better yet, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.