Global Practices: Security Training for the Development Team

Background

In a previous paper entitled Secure Development Lifecycle: Importance & Learning, I covered the importance of the secure development lifecycle (SDL) and the lessons teams learned when implementing SDL. In this paper, I share my experience in building a security training program for the development team.

To build a secure application or platform, one must ensure that the development team understands security and incorporates it both during the design phases and while writing the first lines of code. The following are key steps and considerations for a successful security training program for the development team.

Security Skill Assessment

It is essential to assess the security skill level of the development team to efficiently implement a security training program. One can accomplish this through a simple survey or readily available assessment tool.

If a team is larger than fifty members, I recommend using a predesigned assessment tool, such as a SaaS-based security training platform. Reserve this evaluation as a baseline for future reassessments. Generally, the team should take an assessment annually to evaluate the progress and value of the security training program.

Security Learning Path

Once you assess the team’s security skills, the next step is to create a learning path. A well-defined learning path will help team members understand their security skills and areas for improvement. The learning path should be role-based (see next section) and consider team members’ current security skills and project workload.

In addition, the learning path should be feasible and must have the commitment of the respective team member; otherwise, it will be challenging to commit the team members to the later stages of the learning path.

Be sure to revisit the learning path with team members every six months. Reviewing the learning path will help gauge its effectiveness based on the progress and feedback from the team members. Some team members may be ahead and others behind, so revisiting the learning path will help set realistic expectations and goals.

Role-Based Security Training

The one-size-fits-all approach does not work for training the development team. Each role in the development team has unique responsibilities and skills; hence a role-based security training program is critical. Some topics are common, such as threat modeling, attack surface, and defense in-depth, so the entire development team must learn these topics.

Other subjects are specific to certain roles in the development team, like language-based secure coding, security testing, and compliance. Only the individuals in those roles need training on those subjects. Therefore, all members of a development team must receive the following training based on their roles.

Basic Software Security Training

Other subjects are specific to certain roles in the development team, like language-based secure coding, security testing, and compliance. Only the individuals in those roles need training on those subjects. Therefore, all members of a development team must receive the following training based on their roles.

Security Application Fundamentals

Regardless of their role, everyone on the development team must learn the following concepts to establish a solid foundation for proper security training:

• Threat modeling basics
• Introduction to attach surface
• Defense in depth
• Principle of least privilege
• Secure by default
• Open design
• Privacy and data protection
• Fail securely
• Trust no inputs
• Secure error handling
• Secure logging
• Reuse of existing security control

Secure Coding

Every developer must go through secure code training. Some topics can be language-independent, covering basic principles of secure coding, while others are language-specific. The following topics are essential to secure coding.

Secure Coding Fundamentals – These principles are the core of secure coding practices, which team members must adhere to and be aware of at all times:

• Buffer overflow and remote code execution
• Avoid hardcoded credentials and configuration
• Software composition analysis
• Security misconfiguration
• Storing sensitive data in plain text
• Insecure cryptographic storage
• Insecure communication
• Improper error handling and logging
• Functional vulnerability

Web Application Security – These are the top web application security issues:

• Injection flaws
• Broken authentication and session management
• Sensitive data storage
• XML external entities
• Broken access control
• Insecure deserialization
• Cross-site scripting
• Cross-site request forgery
• Denial of service

Mobile Application Security – These are the top mobile application security issues:

• Improper platform usage
• Unintended data leakage
• Insecure communication
• Application code quality
• Insecure authentication and authorization
• Code tampering
• Reverse engineering
• Non-functional requirements

Security Testing

Every quality assurance (QA) team member must be able to understand security fundamentals. QA must also be able to conceptualize and perform the following procedures:

• Risk assessment
• Functional testing vs security testing
• Dynamic application security testing (DAST)
• Vulnerability scanning
• Penetration testing
• Attack surface review
• Fuzz testing (for more advanced testing)

Advanced Security Concept

Every senior team member and team lead must understand these concepts thoroughly:

• Secure coding best practices – proactive controls
• Secure development environment
• Secure code repository
• Secure deployment
• Secure code reviews – static analysis tools and manual
• Advance threat modeling and mitigation

Security Tournaments

Security tournaments are valuable since they spread security awareness and increase engagement within a team.

There are many ways to host a security tournament. One of the most common ways is to present a series of security coding challenges and missions and ask the team members to compete against one another to identify, locate, and fix vulnerabilities. Most SaaS-based security training platforms provide the ability to host and run tournaments and have templates to get them started. In addition, tournaments can be entirely online, with team members competing remotely, in person, or a mix of the two.

When we complete tournaments, it helps us to raise security awareness and team involvement through gamification. Depending on the team’s size and workload, there should be a tournament every quarter or at least every six months.

Internal Security Bug Bounty

Internal bug bounty programs help make team members think like hackers, which is critical for a successful security program. The ability to see things from a hacker’s point of view allows teams to write secure applications and helps when responding to a security attack. In addition, it helps develop a security culture within the team and brings constructive viewpoints to the application.

Summary

It is important to remember that understanding each team member’s security skill level and requirements is essential for establishing a successful security training program. A carefully designed security training program is one of the critical steps to improving your development team’s capabilities and can significantly improve the security posture of an application or platform.

Author

Security-Training-For-The-Development-Team

Author

Kulbhushan Bhardwaj

AVP Engineering and Global Security Practice Head

View all Articles

Insight category

Top Categories

Top Authors

Orkhan Gasimov

Orkhan Gasimov

Head of CEE Technology Office, Director

Volodymyr Trishyn

Volodymyr Trishyn

Senior Software Engineer

Viktor Klymenko

Viktor Klymenko

Consultant

Alex Pereverzyev

Alex Pereverzyev

Software Architect

Gene Leybzon

Gene Leybzon

Chief Architect

Archive

Check out our previous articles

Load Archives