Security Awareness Blog

Developer Awareness Training: How Metrics Help

SDLC-EndGuest Editor: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this series of posts Eric will take a look at laying a foundation for Developer Security Awareness Training.

In the previous post, we laid the foundation for developer security awareness training. Now let's talk about the metrics we can collect to help improve our program.

It's all about the metrics

As we previously mentioned, establishing a common baseline for the entire development team would be helpful. A comprehensive application security assessment should be performed before awareness training begins. For example, the SANS Software Security team has a free web based security assessment knowledge check. A knowledge check such as this allows you to create a baseline, establish core strengths and weaknesses, and steer the types of training to be provided.

As the awareness training takes place, knowledge checks are helpful at the end of each module along the way. These short quizzes ensure each student understands the topic that was presented and provides immediate feedback with any problem areas. The organization can use these metrics to track each team member's progress and understanding along the way. Reports can be generated from this data to show how things are moving along, and even used for employee reviews.

The final step is to repeat the comprehensive security assessment again. This time use a similar exam with different questions covering the same topics. Ideally, the results will show improvement from the original baseline. Doing so will prove the effectiveness of our developer awareness program, and guarantee our funding as we onboard additional team members. Most importantly, the knowledge gained from the training program will help protect your organization with secure software moving forward. We hope this series has helped form a vision for your developer security training. For more information, check out the STH.Developer Security Awareness Training program.

Bio: Eric Johnson (Twitter: @emjohn20) is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. Eric previously spent six years performing web application security assessments for a large financial institution and another four years focusing on ASP .NET web development. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications. Eric is located in West Des Moines, IA and outside the office enjoys spending time with his wife and daughter, attending Iowa State athletic events, and golfing on the weekends.