Breaking Software Security To Fix It: 5 Steps to Training that Delivers More Secure Applications

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Ed Adams of Security Innovation walks us through why you may need to break software security before you can fix it.

Software runs the modern world, from online trading applications to cloud-based SaaS, Medical Devices, and even hardware.  These software-driven systems incorporate maze-like interconnections and dependencies that make them vulnerable to attack. Compounding the challenge are the blurred lines between builders, operators, and defenders, who all have a hand in building and deploying software securely.

Software’s security stakeholders have exploded beyond the core developer in the rapid-release world of agile, DevOps, and CI/CD. Cross-functional skills are more critical than ever; however, long-established training methods aren’t keeping up with emerging technologies, methodologies, and roles.

Breaking Software Security To Fix It

What’s Broken?

• People are learning the wrong things: While security fundamentals are core to all software stakeholders, cookie-cutter content and one-size-fits-all courses lead to “not-for-me” burnout as teams feel they’ve wasted time on training that isn’t relevant to their job function.
• Too much focus on code: Organizations often equate software security with code security versus resilient Developers today spin up servers and assemble software rather than coding from scratch. “Tangential techies” like DevOps Engineers, Analysts, QA/Test, IT, Database Admins, and others get forgotten and keep making mistakes that propagate into vulnerabilities, especially in deployment.
• Outdated Content: Threats, standards, attacks, and technology change almost weekly. New vulnerabilities in third-party software components, hardware devices, and deployment environments are continuously uncovered. Training content must account for these factors, as well as emerging technologies that affect development in the immediate future.
• Training methods don’t reflect the “real world”: it’s no secret– humans learn best by “doing” in a familiar environment that reflects their on-the-job scenarios. If learned information isn’t applied, research shows people forget about 75 percent of it in just six days.

The Fix:

Here are five steps you can follow to deliver a training program that expands security competency across your organization:

1. Define objectives, goals, and metrics: ROI is the gold standard; however, it’s very elusive. Organizations don’t have the processes and metrics in place (especially early on) to measure ROI.  Goals can be qualitative or quantitative (e.g., gain cloud skills, train a certain percentage of teams, meet specific compliance mandates, or build a security culture/mentality).  Build in flexibility during implementation to quickly change course and add/remove components to suit the progress and needs of each learner.
2. Assess current roles and competencies: Identify primary and secondary software security stakeholders, assess current competencies, and determine needed Not everyone needs to be a security expert. Setting a baseline for similar roles is critical to identifying skills gaps and determining the requirements of each stakeholder group.
3. Determine how you want to implement: For most organizations, building and maintaining an internal training team is costly and challenging, especially when it comes to staying on top of the cybersecurity landscape. Scaling security training across global teams and large DevOps organizations is also difficult, so consider a short but hard-hitting pilot program that starts with a small group. This ensures issues like duration, and applicable content are resolved before rolling out to a larger audience. Some will choose to focus on developers from the start, others want to raise security awareness across all their identified roles. There is no right or wrong approach, the key is to have a plan with well-defined learning paths that are manageable and can be expanded upon.
4. Adjust as you go: Once role- and tech-specific learning paths are rolled out across your organization, use learning management tools to review trainee feedback and evaluate performance. Based on feedback, adjust and expand learning paths accordingly. For example, you might find that a product manager needs to understand security within IoT, so you might add this role or modules that weren’t originally included. A trusted training provider can help you create and implement measurement tools that deliver insights to ensure ongoing success. Once you have a training program in place, you can work towards more salient metrics like ROI (assuming you have defined pre- and post-states to measure), reduction in vulnerabilities, and reduced time to remediate. Remember, training is not a one-and-done effort. Because industry and security requirements change unpredictably, new needs will emerge for reskilling and upskilling teams.

5. Make it engaging, individualized, and dynamic: – A recent Ponemon Cybersecurity Training Benchmarks study found that realistic simulation and role-specific content have the greatest impact on training program effectiveness and ROI. Training should be tailored to the technology used, activities conducted, and standards they need to adhere to. Modularized, topic-based content simplifies the process of delivering the right content and hands-on experiences to the right people, reducing the sighs and “not for me” feedback. This creates learning paths that are more like a blueprint for a building made of Lego blocks. With the right pile of component blocks, you can design a highly relevant curriculum for numerous audiences with minimal effort or rework. Reinforce training courses with blended learning opportunities, such as labs, cyber ranges, and realistic simulations. These hands-on settings provide environments with real code or live applications, enabling learners to find vulnerabilities, change code, and see the code in a deployed app. Hands-on learning reinforces training concepts to help cement progress. Lastly, consider belt and other tiered programs that self-motivate teams and are tied to compensation or promotions.

Tip:  Security champions can super-charge knowledge transfer.  They can be secret agents embedded within development teams.

Final Thoughts

Implementing and executing a more customized, flexible, and engaging training program may require a more significant up-front investment, but the payoff goes far beyond skilled employees. Secure software applications significantly reduce risk and protect their organizations’ data and users.