Security Awareness Blog

What Should Developer Security Awareness Training Look Like?

SDLC-EndGuest Editor: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this series of posts Eric will take a look at laying a foundation for Developer Security Awareness Training.

In our last post, we discussed improving the security of our organizations with security awareness training for development teams. Now let's talk about the security training we should provide.

What should it look like?

All team members have different knowledge levels of the various threats facing our applications. Some have received little or no application security training. Some may have taken a few courses in college that mentioned some common security issues. A few may have received in-depth application security training from a previous employer. The only way to guarantee everyone is on the same page is to establish a common baseline for all team members.

The first step is covering the fundamental aspects of application security. In this phase, introduce all team members to the attacker. Explaining who will be attacking their applications, along with their motivations, and introducing the attack methodology and the steps an attacker will take to compromise their applications will help them understand why security is important. By the end of this topic, everyone will understand the role they play in protecting the company's assets.

Next, cover the secure software development lifecycle. This is where security is integrated into the daily tasks handled by the development team. Introduce the development team to secure design techniques. Show them how integrating and automating security during construction and deployment will help secure their applications. When everyone has a fundamental understanding of application security, focus on the different types of applications each team is responsible for. Ensure groups responsible for web applications understand the OWASP Top 10. Anyone working on mobile applications must take mobile security training. Be aware of emerging technologies, such as Cloud and HTML5, and ensure they are being adequately covered.

Finally, narrow the scope even further. Introduce the development team to platform-specific secure coding training. If mobile applications are being written using iOS and Android, make sure the development team understands how to use the security features provided in those frameworks. Address the other development teams supporting web sites using other platforms, such as Cold Fusion or PHP, in a separate training effort. This phase is best received if the platforms being covered are relevant to the audience.

This is a lot to cover, but no one said application security is easy. Taking the time and effort to cover these topics is the first step towards building secure software! In our final section, we will take a look at the different types of metrics that we can collect, and how they can help steer our security program.

 

Bio: Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. Eric previously spent six years performing web application security assessments for a large financial institution and another four years focusing on ASP .NET web development. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications. Eric is located in West Des Moines, IA and outside the office enjoys spending time with his wife and daughter, attending Iowa State athletic events, and golfing on the weekends.

 

3 Comments

Posted February 26, 2015 at 5:57 PM | Permalink | Reply

BeekerMD03

What is the "secure software development lifecycle"? Got a link online to point to?

Posted March 1, 2015 at 3:53 PM | Permalink | Reply

lspitzner

Beeker, great question. I'll have Eric Johnson do a blog on just that in the next week. Thanks for asking, as I'm sure others are wondering also.

Posted March 12, 2015 at 12:12 PM | Permalink | Reply

steve

Such an important step towards a full development cycle yet shoddily approached from many. Hope the training works.