Our client safeguards information for patients, passengers, business people, Software emergency responders, financiers, and our neighbors. They ensure that their developers build security into their software. This client recently turned to Security Compass’s SSP Suites to provide developers with a foundation of software security and coding based on diverse languages.
CHALLENGE: Create informed Information Security champions amongst their developers.
Our client understands that information security needs to be both promoted and layered. The Director of Application Security works to layer each development department with security champions. The director strives to build the security knowledge of a diverse group of developers:
“We took the OWASP Top 10 and made that mandatory training. The next step was one where our developers didn’t just think about security but had actual knowledge to develop secure products. The training needed to be connected to their work and detailed to include specific attacks with specific solutions.”
The Director of Application Security provided advice for companies who are dedicated to similar work. They encouraged companies who work toward knowledge and defense-in-depth to understand the business importance of security:
“People usually think of security and security training as something that tends to slow down and tack on with things that need to be fixed. Security can be more. Security is a differentiator that helps to close sales.”
The Director also explained how to help a diverse set of developers around the globe, recommending agile security training methods: “SSP is scalable and at a pace we require. Our company is very focused on leading companies to success in the digital enterprise. We develop web-based and internet-based applications. We follow our own example and do our training online as a way for us to offer these courses across geographies and time zones.”
SOLUTION: Diverse eLearning that transformed developers into security champions.
E-Learning courses ultimately helped to create a security culture within the organization. SSP Suites helped our client transform their developers into teams of security champions and secure coders. Our client talked about the successful results for the organization’s developers after they completed training with Security Compass’ SSP Suites: “It is hard to measure a fuzzy requirement like ‘I would like people to know more.’ ‘The right thing to do’ is a hard sell, but I can see measurable results from SSP Suites. I have had people come to me and say ‘hey we were dealing with this security issue, what do you think about that approach?’ This never would have happened; this proactive approach is new.”
Our client described the changes in even more detail, “The developers are now self-appointed champions of security. They’re voicing their concerns about security, in a design or architecture discussion, people are asking security questions. I have seen that in multiple product lines. This is something unheard of before, maybe one or two unique and special developers who had an understanding and cared, but we are definitely seeing more involvement. We usually catch security issues at the end when one of my hacker types finds it. We are seeing that it is harder for us hacker types to find the easier security flaws because they are being solved in design and coding. This is a selling point for my executives. I am looking forward to expansion.”
The developers responded positively to the training. The Director said, “The pace was concise and the lesson break-up helped us manage time. We didn’t have to play all of the audio back, very good that way for online instruction. The quiz questions were actually testing the knowledge; it wasn’t about memorization with the caveat of regulations and standards. We could answer from what we understood, which was a good thing.”
The organization’s developers showed a great deal of interest in the SSP Suites, “The engineers are looking at the career growth option. The other attraction was the easy sign-up online, easily available lessons.” When interest waxed, as it often does, the Director actively engaged with the developers to remind them to complete the training and had help, “Donnie and Michelle from Security Compass helped and provided the marketing for that,” he said, “84% of the developers completed the training and over 50% took the cert exams and passed, so we have newly anointed Secure Software Practitioners.”
Our client has a lot of engineers, architects, and developers. They found great success working with SSP Suites, and they will build on that success, “We ran the pilot program, and what we liked about the vision was the different learning tracks for different roles. We would like to continue working with Security Compass and the SSP Suites, I want this to become part of the learning path at [our company]. I want to see it adopted by all in the company.”
If you want to know more about SSP Suites, then visit our site where you can discover which secure training solution fits your team and sign up for a demo.