Everyone knows that the demand for secure software is increasing. While scanning for vulnerabilities can help, it is a reactive solution to the problem. Finding coding errors that result in vulnerabilities late in the development process results in last minute rework, increased technical debt, and delays in releasing software.
A better approach is to build secure code the first time. Most breaches can be prevented using well known best practices. The problem? Software engineers are trained to deliver functionality first. Computer Science programs focus on learning programming and architecture, with security often an afterthought, even when there are over 600,000 unfilled cybersecurity roles in the US. An article in the Harvard Business Review noted that only one of the US’s top 24 undergraduate programs require security coursework as a core requirement.
Compliance versus Accreditation
Organizations often treat security training as a compliance issue. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires “Software development personnel working on bespoke and custom software are trained at least once every 12 months” on software security design and coding techniques. This can be accomplished by taking a single, online course.
Annual compliance certification treats training as an activity, not a process. People do not retain knowledge when exposed briefly to information. The Ebbinghaus Forgetting Curve shows that, without reinforcement, students forget over 75% of a lesson in the first week alone.
Organizations that view training as a compliance activity also send a message that security is an obstacle,
not a goal.
In contrast, accreditation requires a series of training courses that build on fundamentals, move to more advanced, specialized coursework, and reinforce the learning process through stringent exams. Accreditation is conditional and requires ongoing learning to maintain. When coupled with Just in Time Training while performing tasks, this helps with knowledge retention.
Why Accreditation is Important
The benefits of accreditation to individuals are obvious. Accreditation provides evidence of expertise. It is also portable, making an accredited software engineer more attractive to prospective employers. But accreditation also provides benefits to organizations.
- Accredited developers demonstrate a commitment to secure development. This can provide organizations with a competitive advantage with customers concerned with supply chain security.
- Training can introduce security awareness. An accreditation program helps instill security into the software engineering process to build internal security champions and foster a security culture, developing a security mindset from project management to design, development, testing, and implementation.
- A company-supported accreditation program is an employee benefit. This helps improve recruitment and retention of security-conscious development staff. A recent study shows that employees who believe they have inadequate access to learning and development are two times more likely to leave within a year. Another found that “94% of employees would stay at a company longer if their training and development were invested in.
Which Accreditations to Consider
Organizations should tailor their accreditation programs to meet the roles and needs of their employees. There are many certifications and accreditations individuals and organizations can consider. Some organizations develop their own to focus on their unique challenges. Other, more generalized security accreditations focus more on information security in general.
For those companies that do not have bespoke credentialing, industry recognized programs such as those from (ISC)2 are best. These have pedagogical rigor and are structured to build on broad fundamentals then focus on the unique needs of the learners, such as Secure Software Development, Cloud Security, and Security Administration and Operations.
Security Compass Provides Industry-Recognized Accreditation
Security Compass enables organizations to train employees to develop secure code without costly AppSec expertise, consultants, or headcount. Our Software Security Practitioner (SSP) Suites deliver on-demand application security training solutions supported by research and accredited by (ISC)2. Coursework covers everything from AppSec Fundamentals, Secure Software Design, and Understanding the OWASP Top 10 to advanced, language-specific topics for Python, Node.js, Java, C/C++, and mobile platforms.
Software Security is not solely a development team’s responsibility, and neither are training requirements. In addition to developer-focused curricula, our role-based, eLearning platform provides training suites designed for software architects, QA, and project/product managers. Meet developers where they’re at in their knowledge and learning style to ensure they successfully develop and apply secure coding skills.
Just in Time Training, available with SD Elements subscriptions from Security Compass, complements the SSP Suites, enabling practical application of learning and increased learner retention while they work. These micro-training modules ensure developers have access to credible, up-to-date security training content when they need it – directly from their existing issue trackers such as Jira.