Effectively learning about secure coding and retaining that knowledge can make it seem like it’s inherently difficult, but with the right tools and culture, it doesn't have to be. However, it’s not always easy to convince stakeholders and superiors to invest in the right kind of training. Here are some handy tips to help you gain their allegiance.
Chances are if you deal with software in any way, whether you’re a developer, QA, an Engineering Lead, or an AppSec professional, security is part of your job. It’s the security team’s job to point out software vulnerabilities, and it’s the developer’s job to do their best to write code without flaws to begin with. But in order to do those jobs as efficiently and effectively as possible, it’s important that all parties work together against security threats, starting with the code your applications run on.
Effectively learning about secure coding and retaining that knowledge, however, can make it seem like it’s inherently difficult. With the right tools, it doesn’t have to be. But it’s not always easy to convince stakeholders and superiors to invest in the right kind of training. Training is too often chosen with the sole goal of ticking a compliance box and much of the time it’s irrelevant to a developer’s daily work. But what if developers could learn about security in real-time, in the language:framework they work in everyday, and have fun doing it? And to top it all off? Your organization complies with industry standards at the same time.
We’ve got your back. Here are some strategies to gain allegiance from your peers, leads, and ultimate decision-makers within your organization to get on board with a developer-focused security coding training program.
Do you find yourself spending too much of your time either finding, reporting, or fixing repeat security issues? You’re not alone.
Imagine the following scenario: As soon as AppSec finds a vulnerability and reports it back to development, developers then hop into a relevant training lesson and learn not only how to fix that flaw, but how to avoid making the same mistake in the future. What do you think the result would be? That developer would most likely remember that lesson due to its relevance and be less likely to make the same error again. This means that if you work on a security team, that’s one developer less likely to unknowingly create that vulnerability again and that same developer is less likely to have to go back and fix it again.
If all developers took part in regular secure code training and had the tools at their fingertips to learn about security issues in real-time, the time that is regained to create amazing software and work on security programs is immeasurable. Sound like a pretty good argument for your organization to invest in a tool just like that, right?
If you’ve found a great tool you’d love to use to skill-up in security, something like (cough) Secure Code Warrior, this is a great argument for pitching it to the CISO or CTO within your organization.
Time and money are of course very important to your management team, but so is your job satisfaction. Satisfied employees deliver better results, stay longer at their jobs, and contribute to a positive work environment. That’s why career building and training is an investment, not a cost. And if that training is actually fun and teaches something relevant? That’s a golden ticket to success right there.
The great news is that developers are typically highly motivated to learn security because they know how important it is for their jobs. We surveyed developers from all over the world in a study with Evans Data Corporation and found out that developers want to learn security because:
(Download the full whitepaper here.)
The only problem is that most secure coding training is letting them down. It’s not relevant to their daily work and, let’s face it, it’s downright boring. Those are features that don’t usually deliver good results in terms of retaining information and actually learning. When the learning platform is developer-centric, fun and engaging, and relevant to their work, however, it can deliver real results and create empowered individuals who want to write secure code. And why would your boss, be it a development lead or a CISO or CTO not want developers to be interested in coding securely and have the skills to do so?
When engineers understand how software can be vulnerable to attacks, then they do their work with that in mind. The more someone understands what can go wrong, the more they work with a preventative approach.
Not only that, but poor quality code is more likely to contain software vulnerabilities and it’s easier for a developer to unknowingly introduce a vulnerability into that code. Why? Because a lot of what they do is read and alter code. When that code is poorly organized and uses poor logic, it takes longer to perform those tasks and it becomes easier to change something and accidentally introduce a critical security bug.
When there's an understanding of security and how to avoid problems, you also think harder about the overall quality of that code and how to write it in such a way that a bug can’t easily be introduced on accident. Security training is a win-win. Developers learn about secure coding, but they also become better engineers in the meantime.
Another great tactic to get buy-in from your leaders to adopt a secure coding learning platform is to get your colleagues on board. The more developers interested in upskilling their security knowledge, the easier it will be to convince management or the C-suite to invest in it.
So how do you do that? Given the fact that most developers understand the need to get better at security and want to learn, it shouldn’t be too hard. You can also have them take a look at this secure code warrior developer showcase and get a sneak peek at our product and start testing out their secure coding skills. Once they see the impact of insecure code and learn that learning about security can be fun, they’ll feel empowered to learn more.
Once you’ve adopted the right tool, a great way to get your developers engaged is with some healthy competition. Try kicking off your training program with a tournament.
Training doesn’t have to be boring, and it really shouldn’t be. We know that lectures are expensive, difficult to organize - especially with distributed teams - and you’re unlikely to take much away from them. But organizations continue to offer secure coding training to developers that does little more than tick a box each year for compliance. It’s no longer enough to simply maintain the status quo. It’s time for development managers and AppSec to step up their game and work together to implement a training tool that promotes ongoing and engaging learning. And that starts with convincing the decision-makers.
Continous, hands-on training is necessary for a number of reasons. Cybersecurity threats are constantly evolving, so it’s only natural that training to combat those threats occurs continuously as well. Not only that, but as mentioned already, when we learn in real-time, we’re much more likely to retain what we learned. Coding with security in mind is hard to implement, because expecting a developer to recall something they learned from a slideshow out of context perhaps almost a year previously is unrealistic. But if they learn how to avoid a particular software vulnerability the moment it’s reported to them and feel like they’re playing a game at the same time, that’s a whole new ballgame.
As soon as hands-on, relevant training is implemented, security becomes part of the company culture and is no longer treated as an afterthought. It gets baked into the development process from the start of the software development lifecycle.
So what are you waiting for? Start your journey to improving security within your organization and protecting vital company and customer data. Get your developers and bosses on board to take secure coding to the next level in your organization. Stop experiencing the same vulnerabilities time and again once and for all by thinking about security from the very start.