by Carolina Chang, Product Manager & Isabela P. Aureus, Product Marketing Manager
August 2, 2024
How Application Security Training enables organizations to deliver software that is secure and compliant by design
Building secure software becomes more challenging every day. The complexity of modern applications, which can consist of millions of lines of code and integrate with various third-party components, increases the potential for vulnerabilities. The constantly evolving threat landscape requires continuous monitoring and updates to stay ahead of new threats. Human error can introduce design flaws and implementation errors during development. Meeting regulatory and compliance requirements adds another layer of complexity. While being asked to improve security, development teams face increased time-to-market pressure.
Traditional approaches to software security exacerbate this. Application security testing solutions like static analysis, dynamic analysis, and penetration testing cannot be used until later in the software development lifecycle (SDLC) when remediating issues is more difficult, time-consuming, and costly. Tool vendors attempt to compromise by integrating tools with the build server to scan code automatically or into developers’ IDEs to “shift left.” Often, this leaves software engineering with the task of sifting through false positives and “informational” alerts, further delaying development.
The Solution is Better Training
A better approach is to build secure code the first time. Most vulnerabilities can be prevented using well-known best practices. Why is this difficult? Development and security teams are challenged to reduce cost, reduce risk, and improve software security at scale. However, they struggle to achieve this when developers are not trained and lack trusted, validated resources to acquire the knowledge they need to code securely and keep up with requirements.
Some organizations view security training solely as a cost issue. Secure coding training strategies can help organizations reduce costs, reduce risk, and improve software security at scale.
Reduce costs: As noted, when vulnerabilities are discovered late in the SDLC organizations must choose between remediating those issues or deploying insecure code. Refactoring code at that stage of the development process is expensive, costing up to 100 times more than in the requirements or design phase. Research by Security Compass found that this can total over $50,000 for a single vulnerability.
Reduce risk: Methodologies for building secure software are not a secret. However, software engineers are trained to deliver functionality – not security countermeasures. Secure coding practices are well established, including controls for weaknesses like those listed in the OWASP Top 10 and the SANS Top 25. However, since development organizations are tasked with delivering functional code, the management of risk and the problem of securing code often falls outside of their purview until the business mandates it as a functional requirement.
Delivering that training so that information is retained is critical. Annual security training events held to satisfy compliance requirements simply do not work. Learning is a process – not an event. It requires reinforcement and repetition. This can be accomplished through focused, language-specific, role-based coursework supplemented with spot training on specific issues that developers can access on-demand.
Improve Software Security at Scale: Continuous and focused training allows organizations to improve their secure coding knowledge. Many organizations also invest in security champion programs to build a security culture. Security champions are members of the development team who act as an extension of the security team, keeping their eyes and ears open for potential issues that require security expertise.
Building a successful, organization-wide application security training program requires executive support. A good example is CARIAD, a Volkswagen subsidiary that develops software for Volkswagen Group brands. As expected, 100% of their developers completed training. However, CARIAD took its commitment to security training further. Using role-based curricula, 100% of their executive team, management, and general staff also completed security training to build their security culture and put them on the path to securing software at scale.
Best Practices for Application Security Training
Organizations can begin and mature application security training programs by following some simple steps:
1. Invest in relevant training – Find training that has the depth and breadth you require for languages and frameworks relevant to your business. Look for solutions that include training tracks for non-technical personnel, product management, and executive staff. Support the development organization with practical application security training, preferably training that can be accessed in context and training that includes samples of secure code.
2. Lead from the front — Senior leadership must be fully on board. Confirm that your leadership is committed and supports the message that training is an important investment. Ideally, this includes executive recognition for employees who complete training and security champions committed to working shoulder to shoulder with the development team to implement secure code practices and bear the security culture early and throughout the SDLC.
3. Level up where you can – The threat landscape changes frequently. Look for training material that includes real-world scenarios, including OWASP Top 10 and SANS Top 25 Software Errors. Offer training that supports advancement and growth in skilling.
How Security Compass Helps
Security Compass provides organizations with a full suite of role-based application security training created to support our mission of helping organizations deliver secure and compliant software by design.
Research-driven Application Security Training Courses
Security Compass’s on-demand courses cover topics from AppSec Fundamentals to in-depth, role-based, and programming language-specific learning. Our training curriculum consists of interactive coursework for software engineers, operations, general staff, and others who support the development organization. It includes learning paths for Application Security, Operational Security, Compliance, security awareness classes for all employees, and DevSecOps awareness for managers.
The courses are modular, with each topic broken into quick 10-minute blocks to allow learners to access lessons as needed and work toward course completion in a way that fits their work schedules. Rather than simple lectures, the courses are interactive. Each lesson requires learners to engage with the material and test their knowledge.
Our ISC2-accredited Software Security Practitioner Suites (SSP) provides role-based courses that enable developers to learn foundational elements of software security, in-depth language-specific secure coding skills, and secure product development practices referenced in CISA’s Secure by Design document.
SSP Suites include learning tracks for Software Engineers, Security Champions, Software Architects, Project Managers, and QA. In addition, the SSP General Suite provides non-technical students with foundational knowledge of application security. Students receive an ISC2 co-branded certificate upon completing any suite and certification exam.
Kontra Hands-On Labs
Kontra Hands-On Labs offers interactive application security training for developers. It focuses on real-world examples and engages users through visual learning and interactive storytelling, avoiding traditional quizzes, videos, or gamification. The platform supports over 25 frameworks and languages, including front-end, back-end, mobile, embedded, and DevOps topics.
Kontra Hands-On Labs are designed by developers for developers. It helps learners understand how coding errors can be exploited in 2-5 minute, bite-sized sessions. It promotes secure coding practices by tracing a vulnerability from the UI to its source. Kontra Hands-On Labs uses relevant simulations using recent, real-world scenarios to help developers think like hackers, analyzing attack surfaces and recreating the steps a criminal could take. Developers are also provided with relevant secure code samples to prescribe how to secure the vulnerabilities that have been exploited and are explained in the training.
Learn More
Our Application Security Training portfolio provides security knowledge through Courses and realistic defense and attack simulations through Kontra Hands-on Labs. Contact us today to learn more about how Application Security Training can help you reduce risk operational costs and improve software security at scale.