Secure coding training is an important part of a modern security posture. For some industries, it is a requirement. One example is the PCI DSS Requirement 6.5. This is for companies that have to comply with the PCI DSS standard. These companies must train their developers on secure coding practices at least once a year. This type of training is even more important in the era of e-commerce, where the primary method of payment is a credit card.
Planning and creating a successful secure coding training plan can be very challenging. There are numerous hurdles to overcome. From developing the right training content to limiting its impact on productivity. Not to mention, maintaining developers’ motivation while taking the training.
The following lists some of the best practices for creating a successful secure coding training plan. It’s important to note that while “best practices” are not universally applicable, they are a great starting point. Especially when it comes to fashioning a secure coding training plan that works for your organization’s unique needs. Start with them, then periodically revisit them to see what’s worked, and what hasn’t. Keeping tabs on the different components and optimizing them will result in a more effective plan for your organization.
Ideally, the secure coding training plan will specify hands-on training. This helps to ensure that the students are applying what they learn in real-world situations. Plus they gain experience with the outcomes of those applied lessons. Static instructional methods, such as Powerpoint slides, multiple choice-based lessons, and videos are not as effective as actually coding.
The majority of companies that use slides or videos for developer training have found that these are poor at engaging developers, and not very effective. Students who use these methods do not comprehend, absorb or retain the information as much as a hands-on approach.
Another major consideration when deciding on the right instructional method is whether to have your developers study both offensive and defensive skills, or merely defensive skills. Research has shown conclusively that offensive and defensive training is far superior to purely defensive training. If we use a chess analogy, it’s like the difference between learning how your opponent likes to attack and how to defend against the attack vs. merely just learning generic defensive tactics. The former will always be more effective, as your play will anticipate your opponents’ moves instead of just reacting to what you see on the board.
Monolithic, one-time training events are both ineffective and lead to pushback from developers. In addition to placing significant demands on the employees’ work schedules and their personal time, one-off training can be extremely expensive. In addition to the training costs, travel, and accommodations expenses, there are morale costs from developers being forced to use their work and personal time. Plus productivity costs from developers not working on their roadmap.
Spreading training over a longer period of time means that developers can fit the training into their schedules more easily. Additionally, they are more likely to retain the information. Ideally, they'll receive hands-on training throughout the year. Therefore having more opportunities to use the knowledge they are learning and retain it.
While ensuring every developer has up-to-date training for their role and seniority, a common starting point at many companies is the Open Web Application Security Project (OWASP) Top 10. This forms a great basic set of lessons, as it provides developers with a strong basic understanding of the mechanics of vulnerabilities. Including how to detect and prevent them. With the emergence of the API as a major component of modern software development, developers should also study and understand the OWASP API Top 10.
Once you establish the basics, add other topics as necessary. Many forward-thinking secure coding training programs are including lessons on vulnerabilities. Especially ones that are being discovered in the companies’ actual code base. These vulnerabilities are being found in their SAST/DAST/SCA tools, code repositories, issue trackers and bug bounty programs. Through integrations with their secure coding training platform, these are automatically generating lessons around these vulnerabilities. This is the epitome of “Just In Time” training, helping to ensure relevance and timeliness.