While there are currently thousands of institutions around the globe that train people in software development, only a fraction of those focus directly on code security. Surprisingly, even though there is an 80:1 ratio between software developers and security specialists, many still believe that the responsibility to find and eradicate vulnerabilities is only on security experts. This oversight is leading to software being shipped to companies with security issues, incidentally boosting the security risk of modern programming and leading to critical vulnerabilities.
Over the past decade, there has certainly been a shift in understanding of the overall importance of code security, with companies and educational facilities turning toward implementing ongoing software developer training that focuses on coding securely. Everyone that writes code is responsible for its security; duty does not solely fall upon that one security specialist in a company.
In this blog, we’ll begin to trace the need for ongoing software developer training, documenting current advancements, and demonstrating exactly why it has become so necessary in modern software development.
Has there been a practice of ongoing developer education at the university or corporate levels?
While there are some established practices to ensure ongoing developer education occurs in corporate environments, like training the trainer or the general shift left movement, a large percentage of software developers still report that they feel like they aren’t responsible for security in their organization – only 39% of developers feel fully responsible for security (up from 28% prior year).
This increase can be, in part, attributed to the rising consciousness around security and the joint efforts of organizations and educational facilities to continue to train software developers throughout their careers.
This practice is certainly beginning to be seen within software development teams across many distinct industries, but the general approach of implementing effective training is where most companies are struggling. Typically, students will come out of university with strong coding knowledge but almost no understanding of compliance and safety. Although some are keen to learn, that still leaves potentially thousands of software developers in a company that need extra education.
Andreas Kotulla, CEO of Bitsea, stated that, “When you look at students coming out of university, they are very well trained in coding and software architecture, and algorithms. But when you look at the use of open source, on compliance and security, there is very little or no knowledge at all.”
In-person seminars of this scale are nearly impossible, with the distinct learning styles of this large mass of software developers that need training making virtual classroom learning difficult. With the huge quantity of developers that are working without a comprehensive understanding of how to code securely, the need for ongoing software developer training has never been higher.
How to get started with ongoing developer training
One of the most accessible methods that developers can use when beginning their additional security training is to point students in the direction of the OpenChain Project. As a community that details the best practices for working and implementing open source components with security in mind, their most recent standard will lay out exactly what developers should consider.
Additionally, considering that OpenChain has recently released the Security Assurance Reference Guide 1.0, new developers are able to see the critical best practices they should be implementing when contributing to and using open source software. There are a range of online resources which developers can download to get a head-start .before their organizations begin mandatory security training.
Considering that less than 50% of organizations require their developers to undergo format training more than once a year, the availability of online resources is a great place to begin for self-learning during periods without official training. Alongside enriching a developer’s skillset, the understanding of security practices is now something that companies are actively looking for when hiring future developers, helping them get a leg-up in their careers.
What is meant by developer training at the time of need?
Across teams of potentially thousands of software developers, not everyone is going to have the same learning needs when it comes to security training. Equally, not all of those developers will learn in the same way, meaning that creating formulaic modules that cover core concepts may seem to deliver a lot of knowledge, but may actually have little impact on your company’s exposure to security vulnerabilities.
Discussing the sheer quantity of developers that need training, Andy Knapp from Secure Code Warrior notes, “Our experience has been that training for developers – generally and for security specifically – is somewhat challenged by the scale of the undertaking.”
A much more effective way of creating ongoing developer training is using what’s called “at the time of need training.” This is where certain skills are taught directly based on necessity, or wherever there is a lack within a certain team. After making a team of software developers take a competency test, you’ll instantly see where the largest problem areas within that team are.
Instead of applying blanket teaching, you can instead focus on the skills that the team in question is lacking. Over time, by continually monitoring this and focusing on the largest problem area, you’ll be able to facilitate the rapid improvement of your teams in terms of their security awareness and compliance.
The first step in this targeted teaching is doing a baseline scan on the organization to find competency levels. Alternatively, if there is a commonly recurring vulnerability in your business, that should be an area that you focus on before anything else. This time of need method of training allows for high-impact learning that will dramatically improve your organization’s levels of security.
Best practices for developer training
As previously stated, teaching is never about applying a blanket methodology on every single developer that comes through your door. While that would ensure a baseline level of knowledge, it is unrealistic, time-consuming, and ineffective in terms of the direct result your organization will see.
Due to this, there are a few core practices that you should take forward when launching ongoing software developer training programs in your organization:
- Baseline scan – Ongoing training isn’t simply a numbers game. You should endeavor to focus on the highest-impact areas for training, using a base scan of your organization and the skills your developers have to direct your start point.
- OS top 10 – Every year, OWASP releases its Top Ten list, documenting the most pressing security risks currently known within web applications. Each of these points is one of the most critical security risks faced that year, meaning this is always a good place to start when checking your own security. By moving through the list, you’re able to identify points that you can work on to ensure secure code within your business. Starting with high-priority vulnerabilities like these results in faster improvements.
- Company top 5 – Alongside the OS Top 10, you can also conduct your own research into your organization’s top 5 most pressing vulnerabilities. With these known, you can then work toward fixing the areas that currently impact your business the most. Offering training on these areas will ensure they become less prominent, with the repetition of these exercises every six months or year providing ongoing development.
- Positive learning culture – When working on creating training for your developers, you should attempt to create an enjoyable environment in which they can learn. Starting some form of competition is a great way to incentivize people by using healthy competition. Commenting on positive learning environments, Andy stated, “If we can use these types of events to develop understanding about groups of developers’ learning preferences and styles, then we can start to curate learning paths that are most appropriate to them.”
- Real-time learning – When you are reading teaching materials, you should attempt to make them as real-time as possible, as this will dramatically reduce the amount of potential context difference that there is between the materials and the actuality of the code your developers will be working on.
All of your developer training should endeavor to be manageable, targeted, and directly relevant to what exposes your customers to risk. By focusing on these areas, you’ll be able to offer high-impact training for your developers.
While vulnerabilities within software were once attributed to the task pile of the security team, the continual movement toward shifting left has caused developers to take more responsibility for the code they’re creating. To facilitate the progression of your organization’s developers, you should offer ongoing software developer training.
This training, customized for your business and focusing on your core vulnerabilities, will help to ensure that all the code written by your teams is safe, and falls in line with the current best practices for licensure and security compliance. From conducting self-learning with OpenChain documents to engaging in company-run security training, organizations should endeavor to offer their developers as much support as possible.
As the security threat to modern software becomes greater, developers need to take up security as a core principle of how they write new code.