For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities. You have to be up to date with the latest security trends, risks. Security awareness and skills require consistent training. Oftentimes it seems that training needs to be enforced into the daily routine, but that’s not the case. It needs to be implemented in the company security program. Over time, security training increases the overall security of the enterprise, but for that to happen, you need to know some best practices.
1. Embed security training in developers day-to-day jobs
Developers care about the product and not about security. It is their job, period. Thus, security has to embed itself into the processes of developers. Some fundamental security awareness training is needed to make sure that developers understand the basic concepts of security, but most of the skill acquisition needs to be situational adapting to the current activities of developers.
2. Equip developers with hands-on skills to build multiple lines of defenses
Traditionally, enterprise security training was and still is delivered as a university training course. Most of the training is a one-size-fits-all video or click-through web-based training that leaves developers with a false sense of knowledge. Only when they try to implement what they saw do they realize that they did not fully grasp the concepts and they did not see the tips and tricks of fixing the most common issues. Hands-on training helps them to think like a hacker and empower them to design and build multiple lines of defenses.
3. A successful enterprise security program needs champions
A security awareness training for developers should build a solid basic understanding for every developer, but it is unrealistic to assume that most people will fall in love with security. Still, a small but dedicated percentage of people will find this topic to be interesting and quite useful for their career and one can build a security champion program to allow them to progress.
4. Training for all levels and tech stacks
Diversify training to match the skill levels and technology stacks for developers. As mentioned before, one of the key turn-offs for developer training is when they have to go through standardized training paths that do not match their daily job, technologies, or do not fit their skill level. It is important to be able to personalize the training on the team and individual level to allow developers to make the most out of their time spent.
5. Tracking your team’s progress
It is a common practice to have some sort of tracking and statistics dashboard for training platforms. They usually express the objectives around the training itself, how many hours people trained, a leaderboard about most active users, etc. The real challenge is to make this data actionable and make sure that managers can discover skill gaps and take corrective actions to fix those gaps. A well-rounded training program helps to discover causality between security issues and the skillset of teams. Hence, security training should nicely integrate into the other security controls a company is using to ensure product security.
Empower developers to build solid products
Building an enterprise security program is hard. In the previous article, we talked about the fundamentals of organizational change: People, Process and Technology. We believe that the People Operations are the most important and also the most difficult part of a successful security program. Security training is a great asset to ensure to make the most of human resources. People, unlike Tech and Processes, are unpredictable and can surprise company leaders and managers in both ways. One should use technology to minimize the chance of unpleasant surprises and empower developers to execute an unexpected positive impact on security traditionally driven by security teams. Implementing training in the security program provides the technological environment for the aforementioned empowerment. Through training, developers can increase their secure coding skills, and thus, improve the overall security of your company.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 10 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?
Reading Time: 11 minutes Containers have been around for over a decade. Yet before Docker’s explosive success beginning in 2013 they were not wide-spread or well-known. Long gone are the days of chroot, containers are all the rage, and with them, we have a whole new set of development and security challenges.