There are two primary sources for vulnerabilities in software. The first – design flaws – result from poor architectural decisions. These can include assuming an entity is trusted, failure to require a check of a user’s authorizations after authentication, and other common errors. Many design flaws can be avoided through threat modeling.
The second source of vulnerabilities is coding errors. Coding errors can result in vulnerabilities in the open-source components organizations use, of course. However, our focus today is on coding errors in the custom software written by internal development teams.
Coding errors occur when a developer is either unaware of secure coding best practices or forgets them due to pressure to deliver functionality. This is why security standards such as the Payment Card Industry Data Security Standard (PCI DSS) require organizations to train software development personnel on secure coding.
Traditional Training Isn’t Working
The idea is simple. Training developers on secure coding practices will reduce vulnerabilities. When done correctly, everyone wins. Developers improve their skills while eliminating unexpected security rework and customers gain confidence in their supply chain. In practice, many organizations miss the benefits by treating training as an event instead of a process.
The PCI requirement mandates training “at least once every 12 months.” This leads some organizations to require that developers complete a single online training course annually. While this meets the minimum PCI DSS requirement, it is ineffective. As we have previously written, without reinforcement, students forget 35 percent of a lesson on the first day and 75 percent in the first week! Early, repeated support – treating learning as a process – increases retention.
Wise development leaders recognize that limited training communicates to teams that professional development is not a priority. However, our 2022 DevSecOps Perspectives on eLearning found that the average amount of time spent annually on application security learning amounts to just two and a quarter (2.25) days per year. This is not a good retention strategy when 87 percent ofmillennials believe “professional or career growth and development opportunities” are important to them. Another found that “40 percent of employees who receive poor job training leave their positions within the first year.”
How Employees Want to Learn
Since a motivated student is a better student, our research on employee training focused on how employees want to learn. The 2022 Developer Perspectives on Application Security study found:
- Training should meet the developers where they work: 27 percent want training embedded in their tools, and 26 percent want firsthand examples and exercises. Only 5 percent preferred in-person lessons.
- Training should be on demand: Overall, only 16 percent of developers believed the best time to do training was “at a time designated by the organization.” 81 percent preferred “on-demand” training when starting a new task, encountering a coding problem, or addressing vulnerabilities.
- Training should be geared to the role: 72 percent want vendor or technology-specific training to help them perform their jobs. This also requires training that is contextual and relevant to specific tasks.
- Work/life balance is part of the equation: 68 percent of employees prefer to learn at work. A majority – 58 percent – prefer to learn at their own pace.
How Security Compass Helps
Security Compass takes a developer-centric approach to learning, combining our secure coding expertise and modern instructional design to deliver training to developers where they work and when they need it. We offer dozens of role-specific courses covering the entire SDLC ranging from security basics to deep dive classes and learning paths for specific coding languages. On-demand, interactive training enables your team to access courses at any time and learn at their own pace.
Our Software Security Practitioner (SSP) Suites are pre-selected sets of courses for specific coding languages or specific roles within the development team and earn accreditation from the International Information System Security Certification Consortium ISC2. These courses enable developers to learn foundational elements of software security, language-specific secure coding skills, as well as security skills needed for other roles in the SDLC such as architect, QA, and project management.
Learner retention can be further enhanced by supplementing our on-demand courseware with SD Elements Just in Time Training (JITT). , SD Elements delivers relevant, bite-sized contextual learning directly to the Agile planning tools developers use. Based on the threats and countermeasures surfaced by modeling an application in SD Elements, Just in Time Training (JITT) modules are delivered to developers through their existing workflow, along with code samples and how-tos relevant to the task at hand. Providing micromodules into the workflow boosts retention of the security concepts taught in on-demand courseware.
You can see more insights from our research on training by downloading our report here.