Software Security Training

The overall goals for the Training practice are the creation of a knowledgeable workforce and correcting errors in processes. The workforce must have role-based knowledge that specifically includes the skills required to adequately perform their SSDL activities. Training must include specific information on root causes of errors discovered in process activities and outputs.

Training Level 1

[T1.1: 69] Provide awareness training.

The SSG provides awareness training in order to promote a culture of software security throughout the organization. Training might be delivered by SSG members, by an outside firm, by the internal training organization, or through eLearning. Course content isn’t necessarily tailored for a specific audience. For example, all programmers, quality assurance engineers, and project managers could attend the same ‘Introduction to Software Security’ course. This common activity can be enhanced with a tailored approach to a course that addresses a firm’s culture explicitly. Generic introductory courses covering basic IT security and high-level software security concepts do not generate satisfactory results. Likewise, providing awareness training only to developers and not to other roles is also insufficient.

[T1.5: 27] Deliver role-specific advanced curriculum (tools, technology stacks, and bug parade).

Software security training goes beyond building awareness and enables trainees to incorporate security practices into their work. The training is tailored to the role of trainees; trainees get information about the tools, technology stacks, development methodologies, or kinds of bugs that are most relevant to them. An organization might offer four tracks for engineers: one for architects, one for Java developers, one for mobile developers, and a fourth for testers. Tool-specific training is also commonly observed in a curriculum. Don’t forget that training will be useful for many different roles in an organization, including QA, product management, executives, and others.

[T1.6: 17] Create and use material specific to company history.

In order to make a strong and lasting change in behavior, training includes material specific to the company’s history. When participants can see themselves in the problem, they are more likely to understand how the material is relevant to their work and to know when and how to apply what they have learned. One way to do this is to use noteworthy attacks on the company as examples in the training curriculum. Be wary of training that covers platforms not used by developers (Windows developers don’t care about old Unix problems) or examples of problems only relevant to languages no longer in common use (Java developers don’t need to understand buffer overflows in C). Stories from company history can help steer training in the right direction only if the stories are still relevant and not overly censored.

[T1.7: 37] Deliver on-demand individual training.

The organization lowers the burden on trainees and reduces the cost of delivering training by offering on-demand training for individuals across roles. The most obvious choice, eLearning, can be kept up-to-date through a subscription model. Online courses must be engaging and relevant to achieve their intended purpose. Hot topics like mobile and cloud can attract more interest than wonky policy discussions. For developers, it is also possible to provide training directly through IDEs right at the time it’s needed. Remember that in some cases, building a new skill (such as code review) could be better suited for instructor-led training. Of course, training that sits around on the shelf does nobody any good.

Training Level 2

[T2.5: 13] Enhance satellite through training and events.

The SSG strengthens the social network by holding special events for the satellite. The satellite learns about advanced topics (e.g., the latest secure development techniques for building iOS applications) or hears from guest speakers. Offering pizza and beer doesn’t hurt. A standing conference call with voluntary attendance does not address this activity, which is as much about building camaraderie as it is about sharing knowledge or organizational efficiency. There’s no substitute for face-to-face meetings, even if they happen only once or twice a year.

[T2.6: 14] Include security resources in onboarding.

The process for bringing new hires into the engineering organization requires a module about software security. The generic new hire process covers things like picking a good password and making sure people don’t tail you into the building, but this can be enhanced to cover topics such as secure coding, the SSDL, and internal security resources. The objective is to ensure that new hires enhance the security culture. Turnover in engineering organizations is generally high. Though a generic onboarding module is useful, it does not take the place of a timely and more complete introductory software security course.

[T2.7: 5] Identify satellite through training.

The satellite begins as a collection of people scattered across the organization who show an above-average level of security interest or advanced knowledge of new tech stacks and development methodologies. Identifying this group is a step toward creating a social network that speeds the adoption of security into software development. One way to begin is to track the people who stand out during training courses (see [SM2.3 Create or grow a satellite]). In general, a volunteer army may be easier to lead than one that is drafted.

Training Level 3

[T3.1: 3] Reward progression through curriculum (certification or HR).

Knowledge is its own reward, but progression through the security curriculum brings other benefits too. Developers, testers, and others see a career advantage in learning about security. The reward system can be formal and lead to a certification or official mark in the HR system, or it can be less formal and use motivators such as praise letters for the satellite written at annual review time. Involving a corporate training department and/or HR can make security’s impact on career progression more obvious, but the SSG should continue to monitor security knowledge in the firm and not cede complete control or oversight.

[T3.2: 5] Provide training for vendors or outsourced workers.

Spending time and effort helping suppliers get security right at the outset is easier than trying to figure out what they screwed up later on, especially if the agile team has sprinted on to other projects. In the best case, outsourced workers receive the same training given to employees. Training individual contractors is much more natural than training entire outsource firms and is a reasonable way to start. Of course, it’s important to train everyone who works on your software regardless of their employment status.

[T3.3: 2] Host external software security events.

The organization highlights its security culture as a differentiator by hosting security events featuring external speakers and content. Good examples of this are Microsoft’s BlueHat and Intel’s Security Conference. Employees benefit from hearing outside perspectives, especially related to fast-moving technology areas. The organization as a whole benefits from putting its security cred on display (see [SM3.2 Run an external marketing program]). Events open to just certain small groups will not result in the desired change.

[T3.4: 7] Require an annual refresher.

Everyone involved in the SSDL is required to take an annual software security refresher course. The refresher keeps the staff up-to-date on security and ensures the organization doesn’t lose focus due to turnover, evolving methodologies, or changing deployment models. The SSG might use half a day to give an update on the security landscape and explain changes to policies and standards. A refresher can be rolled out as part of a firm-wide security day or in concert with an internal security conference.

[T3.5: 2] Establish SSG office hours.

The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member. Roving office hours are also a possibility, with visits to particular product or application groups slated by request.