Information Technology keeps the lights on and BMC makes sure of that. They are a global leader in innovative software solutions, and BMC’s digital enterprise management enables businesses to transform and prevail.
BMC safeguards information for patients, passengers, business people, emergency responders, financiers, and our neighbors. They ensure that their developers build security into their software. BMC recently turned to Security Compass’s SSP Suites to provide developers with a foundation of software security and coding based on diverse languages.
CHALLENGE: Create informed Information Security champions amongst BMC’s developers.
BMC understands that information security needs to be both promoted and layered. Ariel Kirson, Director of Application Security, works to layer each development department with security champions. He strives to build the security knowledge of a diverse group of developers:
We took the OWASP Top 10 and made that mandatory training. The next step was one where our developers didn’t just think about security but had actual knowledge to develop secure products. The training needed to be connected to their work and detailed to include specific attacks with specific solutions.
Ariel provided advice for companies who are dedicated to similar work. He encouraged companies who work toward knowledge and defense-in-depth to understand the business importance of security:
People usually think of security and security training as something that tends to slow down and tack on with things that need to be fixed. Security can be more. Security is a differentiator that helps to close sales.
He also explained how to help a diverse set of developers around the globe. He recommends agile security training methods, “SSP is scalable and at a pace we require. Our company is very focused on leading companies to success in the digital enterprise. We develop web based and internet based applications. We follow our own example and do our training online as a way for us to offer these courses across geographies and time zones.”
SOLUTION: Diverse eLearning that transformed developers into security champions.
SSP Suites helped BMC transform their developers into teams of security champions and secure coders. Ariel talked about the results and success he saw in BMC’s developers after the completed training with Security Compass’ SSP Suites, “It is hard to measure a fuzzy requirement like I would like people to know more. ‘The right thing to do’ is a hard sell, but I can see measurable results from SSP Suites. I have had people come to me and say ‘hey we were dealing with this security issue, what do you think about that approach?’ This never would have happened; this proactive approach is new.”
He described the changes in even more detail, “The developers are now self-appointed champions of security. They’re voicing their concerns about security, in a design or architecture discussion, people are asking security questions. I have seen that in multiple product lines. This is something unheard of before, maybe one or two unique and special developers who had an understanding and cared, but we are definitely seeing more involvement. We usually catch security issues at the end when one of my hacker types finds it. We are seeing that it is harder for us hacker types to find the easier security flaws, because they are being solved in design and coding. This is a selling point for my executives. I am looking forward to expansion.”
The developers responded positively to the training. Ariel said, “The pace was concise and the lesson break-up helped us manage time. We didn’t have to play all of the audio back, very good that way for online instruction. The quiz questions were actually testing the knowledge; it wasn’t about memorization with the caveat of regulations and standards. We could answer from what we understood, which was a good thing.
The developers at BMC showed a great deal of interest in the SSP Suites, “The engineers are looking at the career growth option. The other attraction was the easy sign-up online, easily available lessons.” When interest waxed as it often does, Ariel actively engaged with the developers to remind them to complete the training and had help, “Donnie and Michelle from Security Compass helped and provided the marketing for that,” he said, “84% of the developers completed the training and over 50% took the cert exams and passed, so we have newly anointed Secure Software Practitioners.”
The Security Compass team also partnered with BMC by working with an issue that Ariel and his developers discovered. “We found one issue where we didn’t agree with the content. We provided feedback, and we felt like Security Compass was a partner for improvement. There has been a good channel for our feedback with Donnie and Michelle.”
BMC has a lot of engineers, architects, and developers. They found great success working with SSP Suites, and they will build on that success, “We ran the pilot program and what we liked about the vision was the different learning tracks for different roles. We would like to continue working with Security Compass and the SSP Suites, I want this to become part of the learning path at BMC. I want to see it adopted by all in the company.”
BMC brings IT to life and partnered with Security Compass for training, they build security into their software. If you want to know more about SSP Suites, then visit our site where you can discover which secure training solution fits your team and sign up for a demo.