Overview
The current research provide a comprehensive view into current application security approaches and viewpoints among those most directly involved in software development
As is widely recognized (but not always adopted), a culture of security requires proper training to transfer knowledge of the techniques, tools and technologies needed to reduce the possibility of vulnerabilities when deploying code, while providing secure code documentation and tracking to further future prevention efforts. Implementing DevSecOps requires attention to issues of speed, collaboration, and integration. Addressing these issues with effective best practices includes training throughout the software development life cycle (SDLC) in tandem with deployment of preventive security tools and systems.
The issue of speed in particular should not be overlooked, especially the time between developers posing a question and obtaining an answer. Reliance solely on open source systems, such as Stack Overflow, have been shown to take anywhere from 2 to 16 days between Q and A, depending on both the complexity of the question and the confidence required to ensure accuracy of the answer (e.g., # of upvotes). For large enterprises, millions of dollars are at stake when looking at the “time to proficiency” training new hires and furthermore, two to three times this amount in time (and labor expense) for internal champions providing this knowledge.
Given the importance that eLearning plays in developing secure software, this ebook provides an overview of our research into AppSec training approaches. Findings include “deep dives” into budgeting, training challenges, time consuming elements, how best to reinforce AppSec eLearning, and the value of accreditation to individual contributors, managers, and organizations.
Survey Participants
- 200 respondents that are part of the software development, Dev Ops, or Application Security teams producing software
- Required knowledge of application security
lype sometning - Company sizes ranged from mid-market ($50M) to large ($10B) enterprises
- Company builds custom software
US (80%) and Canada (20%)
The surveys were conducted by Golfdale Consulting.
Demo/Firmographics
Survey respondents came from companies that produce their own custom software. Respondents were part of the software development, Dev Ops, or Security teams, and in this capacity they must have had knowledge of application security. One quarter of those surveyed were managers, the remaining 75% were individual contributors. They came from a variety of industries and a range of company sizes.
Application Security Training
Virtually all companies offered their development, ops, and security teams some form of application security training,
Budgeting for Software Security
While budgets are often set centrally, Dev Teams (managers and coders/engineers) are predominantly the ones who select their training.
Most individual appsec training budgets sit within a $500 to $2500 range annual.
AppSec eLearning Challenges
While frustrations vary widely, both the depth and breadth of content are most frequently cited.
New code to satisfy security requirements is the most time consuming both for individual contributors and for dev managers.
AppSec Training Demands on Developer Time
The average amount of time spent annually on application security learning amounts to just two and a quarter (2.25) days per year, and slightly less by Dev Team managers.
Over three quarters of those surveyed are looking up security topics on a weekly basis or more.
Best Timing and Reinforcements for eLearning
The best times to doing eLearning for AppSec Security is during active design (requirements) and Dev / DevOps activity.
A leaderboard for tracking Appsec training would be very popular
Almost all respondents would opt into an AppSec training leaderboard if it was made available
Value of Accreditation
Security accreditation is broadly viewed as very helpful, for individual contributors, managers of dev teams, and organizations themselves. It helps individuals contribute and to guide others
Conclusion
In the field of cybersecurity, education is paramount. Without exception, individuals directly involved in, or managing, software development, DevOps, and security acknowledge the need for comprehensive cybersecurity training to competently perform in their roles. Whether compulsory or voluntary within organizations, 97% of those surveyed had undertaken some form of training within their current company. Most favoured a broad range of training formats, with eLearning from course catalogue providers topping the list. Interactive training, JITT with short videos, along with code samples and snippets were all popular.
While training budgets are often set centrally, with a portion set aside for AppSec training, the providers are often chosen and decided locally by developers and their managers. These budgets are non-trivial. They typically range anywhere from $500 to $2500 per FTE developer. For the organizations we surveyed, with a median size of ~1250 developers, these ranges translate into training costs of roughly $600k to $3M per year. Despite these investments, new code to satisfy security requirements is most time-consuming. Against these cost and time expenses sits the #1 frustration of those charged with development and deployment which is a lack of breadth and depth available in many AppSec training programs. Further, much of the training offered is not sufficiently integrated into the application development environment nor is it interactive. While there is wide spread alignment on what is needed, the ability to deliver on it too often falls short.
Three quarters of our respondents were looking up security topics regularly (at least once or twice a week), or even daily, to do their job. However, they were receiving on average the equivalent of just over two days per year on AppSec training which should reduce this need. Obtaining the cybersecurity knowledge they need during the process of coding and implementation was most favoured. Further enticement to continuously build knowledge in this area through courses, participation in cyber-quizzes, and obtaining certifications could also be reinforced through Leaderboards. Overall, our eLearning survey validated the current practices of obtaining security certifications. They helped make jobs easier, made helping others easier, and added to the credibility of both the individuals achieving them as well as the organizations they represent.