[T1.1: 83] Conduct awareness training.
To promote a culture of software security throughout the organization, the SSG conducts awareness training. As examples, the training might be delivered via SSG members, an outside firm, the internal training organization, or e-learning. Course content doesn’t necessarily have to be tailored for a specific audience. For example, all developers, QA engineers, and project managers could attend the same “Introduction to Software Security” course, but this effort should be augmented with a tailored approach that addresses the firm’s culture explicitly, which might include the process for building security in, common mistakes, and technology topics such as CI/CD and DevSecOps. Generic introductory courses that cover basic IT or high-level security concepts don’t generate satisfactory results. Likewise, awareness training aimed only at developers and not at other roles in the organization is insufficient.