Implementing application security practices in a company goes far beyond performing tasks, it’s a culture to be cultivated. In this journey, education is a fundamental step. However, what exactly is education in an AppSec context? Who is responsible for ensuring the continuity of these activities in search of cultural transformation?
You can also listen to this article:
These were topics covered in the webinar The Role of Education in AppSec Culture, which took place on November 3rd, 2022.
To discuss the subject, we invited Daniel Dalalana, CEO of WSS Security, who spoke with our CEO, Wagner Elias.
But after all, what is education in AppSec?
Daniel and Wagner started the conversation by defining the differences between education, awareness, and training. They also addressed the importance of exchanging experiences between professionals with different backgrounds. “Sometimes the person with the least experience is the one who will ask questions that will put you in a position to build knowledge,” declared Dalalana. “And that’s what education is: an exchange between spaces for this knowledge construction, which goes far beyond this concept of acquisition”.
Why is Application Security not covered at college?
During the conversation, a pertinent question came through the chat: “Why is it common for undergraduate technology courses not to teach good practices for secure development?”. For Wagner, this is something natural. “This is a moment to learn the concepts, the fundamental basis for exercising our profession and solving problems”, he stated.
“There is no way to leave college prepared to deal with security – security is specialization. Now, what needs to be clear is that the foundation needs to be very good, so good that when you leave college, with little education, the security concepts will become clear”, he explained.
How to create AppSec awareness?
They also covered the challenges of AppSec awareness. “Awareness is not an occasional instruction, it is a continuity of cultural thinking. It’s a long-term thing. Forget ‘awareness week’, or punctual lectures, but of course, you have to start somewhere”, reinforced Dalalana”.
Bringing security education and awareness to other teams in a company, such as Product, Design, and Marketing, was also a debated topic. Both agreed on the importance of each professional in a company having contact with the subject. “Everyone involved needs to understand the importance of security,” declared Wagner.
Discover People & Culture
At Conviso, we know well the main problems faced by companies and the market when it comes to AppSec – and how to solve them. That’s why we created People & Culture, an advanced AppSec training solution that is integrated into your process. Our solution relies on gamification, and secure code challenges, which are contextualized and based on your team’s main gaps – so that vulnerability correction is no longer a challenge and becomes a culture in your company.