Security Training Program – Fixed or Customized?

Thursday, November 07, 2013

Rohit Sethi


My colleague Vishal Asthana, Security Compass' regional director for India, takes a closer look at key questions to ask when implementing a software developer security training program:

Let’s assume your market research confirmed the need for a product and you went ahead and developed one. You even have a list of prospective customers who are eager to check out the product before buying.  Further, let’s assume the customers know the broad requirement for which they are trying to find a solution but don’t know whether an off-the-shelf product which doesn’t require any customization would be better or whether a product that needs to be significantly tailored to their needs would be better.

As more and more customers demand products developed in a secure manner, ISVs (Independent Software Vendors) realize that imparting regular security training to their development teams is slowly becoming a norm. Metaphorically, an application security training program can thus be considered as the product and members of various teams as prospective customers.

What do you think would be a better offering for the development teams, a fixed training program or a customized one? Hold on to your answer and read on to find out the key aspects that should be addressed to arrive at a data-driven answer:

  1. Prior knowledge: Has the intended audience been through a similar application security training program before? If so, what areas did they find to be most effective, least effective?
  2. Duration: What kind of development model does the development teams use? For example, teams on Agile (scrum) employ sprints each of which lasts between 2 to 4 weeks. Dedicating a few days towards a security training program is practically infeasible for such teams. Can the offering be compressed to accommodate this?
  3. Time-of-training versus time of use: When will the attendees be able to use the knowledge gained? For example, a .NET development team is educated about the use of Fortify SCA (Source Code Analyzer) tool, rule customization, false positive analysis etc. Would they be installing and trying out the tool for their current release or would that be made part of the future roadmap or not sure?
  4. Content: Will applicability of each section be considered while outlining the training agenda? For example,
  • Covering CAS (Code Access Security) for a .NET training program wouldn’t give any ROI if the team in attendance has no plans to use it at all for their current/future releases.
  • Covering a section on buffer overflow issues and compiler security flags wouldn’t of any use to attendees working with managed code on a day-to-day basis.
  • Web services behave differently than web applications. Covering web application vulnerabilities in detail during the training would not be of much use to attendees whose KRA is to develop web services.

In our experience, ROI for the attendees does increase significantly if all the customization aspects listed above are factored in.

Cross-posted from the SC Labs blog.

Possibly Related Articles:
Security Awareness Security Training Webappsec->General
security training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked