2022 DevSecOps Perspectives on AppSec Training

 

Overview

The current research provide a comprehensive view into current application security approaches and viewpoints among those most directly involved in software development

As is widely recognized (but not always adopted), a culture of security requires proper training to transfer knowledge of the techniques, tools and technologies needed to reduce the possibility of vulnerabilities when deploying code, while providing secure code documentation and tracking to further future prevention efforts. Implementing DevSecOps requires attention to issues of speed, collaboration, and integration. Addressing these issues with effective best practices includes training throughout the software development life cycle (SDLC) in tandem with deployment of preventive security tools and systems. 

The issue of speed in particular should not be overlooked, especially the time between developers posing a question and obtaining an answer. Reliance solely on open source systems, such as Stack Overflow, have been shown to take anywhere from 2 to 16 days between Q and A, depending on both the complexity of the question and the confidence required to ensure accuracy of the answer (e.g., # of upvotes). For large enterprises, millions of dollars are at stake when looking at the “time to proficiency” training new hires and furthermore, two to three times this amount in time (and labor expense) for internal champions providing this knowledge.

Given the importance that eLearning plays in developing secure software, this ebook provides an overview of our research into AppSec training approaches. Findings include “deep dives” into budgeting, training challenges, time consuming elements, how best to reinforce AppSec eLearning, and the value of accreditation to individual contributors, managers, and organizations.

Survey Participants

  • 200 respondents that are part of the software development, Dev Ops, or Application Security teams producing software
  • Required knowledge of application security
    lype sometning
  • Company sizes ranged from mid-market ($50M) to large ($10B) enterprises
  • Company builds custom software
    US (80%) and Canada (20%)

The surveys were conducted by Golfdale Consulting.

Demo/Firmographics

Survey respondents came from companies that produce their own custom software. Respondents were part of the software development, Dev Ops, or Security teams, and in this capacity they must have had knowledge of application security. One quarter of those surveyed were managers, the remaining 75% were individual contributors. They came from a variety of industries and a range of company sizes.

Chart displaying roles in software development. 42% writing code, 25% managing dev teams, 16% design/architecture, 12% security, 4% QA, and 3% hardware engineer.

Bar chart showing industry sectors: 30% Technology, 17% Software as a service, 14% Manufacturing, 10% Retail, 8% Financial Services, 6% each for Banking and Healthcare, 5% Insurance, 4% Professional services, 1% each for Telecom and Government.

Bar chart showing company revenue distribution: 2% for $50M to less than $100M, 6% for $100M to less than $250M, 22% for $250M to less than $500M, 20% for $500M to less than $1B, 40% for $1B to less than $5B, 8% for $5B to less than $10B, 3% for $10B or more.

Application Security Training

Virtually all companies offered their development, ops, and security teams some form of application security training,

Pie charts showing two aspects: (1) AppSec training offered at your company - voluntary and not undertaken (47%), voluntary and undertaken (50%), and mandatory (3%). (2) Security Champions program at the company - yes (73%), no but launching soon (5%), and no (22%).

A bar chart titled “AppSec Training Offered at Your Company” with various training options listed on the y-axis. The top training options are eLearning courses (42%), interactive training (40%), and vendor specializing in cybersecurity (38%).

Budgeting for Software Security

Bar chart showing budget decisions for application security training: 44% decided centrally (e.g., HR or IT based on input from development managers), 25% decided by the manager, 21% each developer decides, and 11% a combination of the above.

While budgets are often set centrally, Dev Teams (managers and coders/engineers) are predominantly the ones who select their training.

Chart showing input into application security training: I directly own the training, I actively influence the training, I have some moderate input, I have little to no input.

 

Most individual appsec training budgets sit within a $500 to $2500 range annual.

 

Bar chart showing individual budgets for AppSec training: 1% none, 4% up to $500, 45% between $500 and $1000, 44% between $1000 and $2500, 7% more than $2500.

AppSec eLearning Challenges

While frustrations vary widely, both the depth and breadth of content are most frequently cited.

A bar chart showing frustrations with developer training. Top frustrations include depth of content (15%), breadth of content (15%), and not integrated into app dev environment (11%).

New code to satisfy security requirements is the most time consuming both for individual contributors and for dev managers.

Bar chart showing the most time-consuming aspects of secure development: documenting steps (15%), assigning tasks (21%), sourcing answers to security questions (28%), and implementing new code to meet security requirements (37%).

AppSec Training Demands on Developer Time

The average amount of time spent annually on application security learning amounts to just two and a quarter (2.25) days per year, and slightly less by Dev Team managers.

Bar chart depicting time spent on application security (AppSec) training by level: No dedicated time (3%), one session per year (13%), up to one hour per month (15%), one to two hours per month (28%), two to four hours per month (18%), over four hours per month (8%), one day per month (4%), and more than one day per month (13%).

Over three quarters of those surveyed are looking up security topics on a weekly basis or more.

ar chart illustrating the frequency of looking up security topics: daily (21%), once or twice a week (54%), once or twice a month (22%), rarely (3%), and never (0%).

Best Timing and Reinforcements for eLearning

The best times to doing eLearning for AppSec Security is during active design (requirements) and Dev / DevOps activity.

ar chart showing the best times for secure development training: during coding and implementation (16%), cloud configuration (14%), before new requirements (12%), after threat model results (9%), during architecture/design (9%), when vulnerabilities are discovered (8%), after pen test results (7%), after receiving new stories/requirements (7%), after a bug report (6%), irrespective of project timing (5%), between major projects (5%), and when encountering problems (3%).

 

A leaderboard for tracking Appsec training would be very popular

 

A semicircular chart showing the likelihood of opting into an AppSec training leaderboard. 77% of respondents said “Yes,” while 23% said “No.”

 

Almost all respondents would opt into an AppSec training leaderboard if it was made available

 

Likely Impact of A Leaderboard Enticing More AppSec Training: A horizontal bar chart illustrating the likely impact of a leaderboard enticing more AppSec training. Categories include Much more likely (40%), More likely (41%), Moderately more likely (19%), Slightly more likely (2%), and No more likely (2%).

Value of Accreditation

Security accreditation is broadly viewed as very helpful, for individual contributors, managers of dev teams, and organizations themselves. It helps individuals contribute and to guide others

 

A bar chart showing how accreditation helped career development. Top responses include making the job easier (45%), building credibility (40%), and aiding in promotion (39%).

 

A bar chart showing how accreditation could help career development. Top responses include helping guide others (56%), making the job easier (44%), and aiding in promotion (37%).

 

Value of Accreditation to External Stakeholders: A circular chart depicting the value of accreditation to external stakeholders. Values are It is a value add for us (46%), It is a clear company differentiator (38%), It is simply expected as a requirement (16%), It adds very little value (1%), and It is not valuable at all (0%).

 

Conclusion

In the field of cybersecurity, education is paramount. Without exception, individuals directly involved in, or managing, software development, DevOps, and security acknowledge the need for comprehensive cybersecurity training to competently perform in their roles. Whether compulsory or voluntary within organizations, 97% of those surveyed had undertaken some form of training within their current company. Most favoured a broad range of training formats, with eLearning from course catalogue providers topping the list. Interactive training, JITT with short videos, along with code samples and snippets were all popular.

While training budgets are often set centrally, with a portion set aside for AppSec training, the providers are often chosen and decided locally by developers and their managers. These budgets are non-trivial. They typically range anywhere from $500 to $2500 per FTE developer. For the organizations we surveyed, with a median size of ~1250 developers, these ranges translate into training costs of roughly $600k to $3M per year. Despite these investments, new code to satisfy security requirements is most time-consuming. Against these cost and time expenses sits the #1 frustration of those charged with development and deployment which is a lack of breadth and depth available in many AppSec training programs. Further, much of the training offered is not sufficiently integrated into the application development environment nor is it interactive. While there is wide spread alignment on what is needed, the ability to deliver on it too often falls short.

Three quarters of our respondents were looking up security topics regularly (at least once or twice a week), or even daily, to do their job. However, they were receiving on average the equivalent of just over two days per year on AppSec training which should reduce this need. Obtaining the cybersecurity knowledge they need during the process of coding and implementation was most favoured. Further enticement to continuously build knowledge in this area through courses, participation in cyber-quizzes, and obtaining certifications could also be reinforced through Leaderboards. Overall, our eLearning survey validated the current practices of obtaining security certifications. They helped make jobs easier, made helping others easier, and added to the credibility of both the individuals achieving them as well as the organizations they represent.