Application Security

Why invest in AppSec Training

How can AppSec Training help?

Aren’t you eager to know how training can help your company to reach maturity in Security Application Development?

Training in Security is an investment that is not very fond of the organization. That is due to the lack of vision for results when analyzed in a short period of time scenario.

In this article, we approach how Secure Development training can bring benefits in the long run to the company other than being in compliance with a normative.

Knowing how to align a strategic training program can help your company with the results to produce applications more secure to last longer.

How training is seen

Why you should worry about training for your development team?

When looking at a designed development process we identify that the first step is training. This is not just a shot in the dark.

By starting the training process, we are delivering to our team the possibility to acquire knowledge that is important to all steps of the development process.

However, what we have noticed is that many companies are worried about doing the training as only for conformities having some norms or even policies.

Thus, it isn’t strange to realize that when there is leakage or data compromise, one of the companies’ first statements os that they do everything to fulfill demands, therefore, they are in compliance with the law. 

It is extremely important to emphasize that we are not judging the existence or fulfillment of any normative.

Besides, what calls our attention is the fact that training is something superficial, only to obtain numbers, actually, its benefits could be much more explored.

Therefore, what we have seen is training that is not developed to offer a real improvement in knowledge, which is necessary for secure application development. In sum, in the long term, it can become a bigger problem.

What not to do on a training

In the article named How Important is Role Specific Developer Security Training, the author presents us with relevant points that must be observed to have an efficient training.

However, at this point, the focus is on something we understand to be essential – observe the real necessity of knowledge to the development team. 

To the Author:

“It’s essential that your security training recognizes these fundamental differences, and allows developers to improve their security knowledge of the language they specialize in.”

In a certain way we are aligned to this thought because we understand that by performing a training, this must reflect the needs of specific learning to each team, though not just based on static knowledge.

This means a training that does not observe the methodology established by the team ends up not presenting great efficiency.

Therefore, good training must basically observe three main points to which we will approach. 

Three important points on AppSec Training

Aforementioned, training must approach the specific needs of a team.

Nonetheless, to be efficient it is important to direct it to the deficiencies of a specific public. Better if it is customized: in this case, specific flaws are approached that might be happening in a company, for instance.

Hence, training that is not in compliance with the premise, ends up presenting low learning retention as well as poor adherence to its target.

We are about to approach the three main points that must be observed to maximize the level of retention by the team so it will bring benefits in the long run to the company.

1. The AppSec training language

It is important that the training adheres to the language used to program on a daily basis.

A more generic concept is important, but bringing knowledge to be used directly is even more efficient.

2. The AppSec training methodology

If your team uses a DevOps approach, it will not be efficient to have a train based on other methodologies.

For instance, if the training focuses on more traditional models of development, such as waterfall, the content can not be of interest or even a total waste of time for the team.

For the Dev to have a real acceptance of the content presented,  it is of extreme importance to have a connection between the speech and his daily basis reality. 

3. The AppSec training technology

Thus, it is not good having training on technologies that has nothing to do with the developer routine.

Moreover, having a monolithic structure centered on internal infrastructure, for instance,  which will be the effectiveness of a training approaching the use of microservice-based on cloud solution?

Therefore, it is important to approach models of structure and technology that are part of the developers’ routine, without establishing parallels.

Now we can start learning…

We need to have it clear that the closer to developers’ reality the training is, the more efficient it will be.

However, these three pillars must be understood as fundamental steps of approach when talking about truly improving the knowledge about security inside a team. 

Training as an improvement of metrics

When correctly implemented, training can be the root of an improvement process for application development. It can reduce bad metrics and enhance good ones.

One way of doing this is having direct and specific training to the necessities in which the developers are in.

When we put together the ongoing training and security champions, we can say that we are almost certain to have a significant increase in the security knowledge of your team.

Within a managed context, training can act as a preventive control, as it directly impacts the reduction of vulnerabilities.

Security Champions are one of the most important pillars to create a security development culture and to have good security champions they need to be constantly updated.

Hence, an efficient training program contributes to the security champion formation and to have a better security understanding in a general way.

This is also a present thought in this article where the author points out interesting aspects of the training.

“Your security training strategy can be a mechanism to create active, effective security experts in your development organization. These experts (often referred to specialize as Security Champions) act as the resident security experts for your development groups.”

The important is to built a training curriculum to meet the necessities of knowledge and abilities to the security champions’ team and for the developers.

Deciding on the correct AppSec training for your team

Aforementioned, having basic training, asked by policies or even done just because of demands do not present a visible result in the long run.

Then, it can be easily observed if analyzed the great quantity of data leakage, even though the company has kept an eligible quantity for training. 

Moreover, performing training with the purpose of improving the security of applications, but methodologies that seek to simply be in compliance, clearly does not work. 

The best way to determine an efficient AppSec training program is by building it with a base on the group learning necessity.

Therefore, even if your team trains as asked, in many cases an economy on investment might occur, but the content may not bring anything new. Besides that, in the end, the knowledge is null, since this training repeats the content from previous ones, without modification.

Based on the observation of cases of companies that invest in continuous training, we realize that when the subject addressed meets the needs of the team, the results are usually much more effective.

Training should, therefore, be regarded as security controls.

Like any control, these must be evaluated to understand how effective they really are respecting the point of improvement.

And for the training to be validated, this assessment must have clear metrics.

Thus, training should be taken at the same level as other operational and safety controls.

Therefore, with expected objectives and clearly defined assessment methods, training is more likely to achieve satisfactory results.

This is because, as we mentioned above, more efficient training is notably the one that has its content built according to development needs, rather than reproducing a standardized model.

SAMM, one of the most commonly used maturity models when it comes to Application Security, shows us in Education & Guidance – 2 that training should receive special attention when it comes to building it.

The training should follow the concept of having its construction focused on the learning needs of the developers and, this training contributes to the formation of mentors that will help the team to better develop their skills.

3 Main Benefits to the long run of AppSec Training

We saw above, that there are several reasons for a company to do AppSec training.

They range from the need to be in compliance with current regulations and thus to protect against accidents such as data leakage, to pass on the credibility to their clients that their developers perform training on an up-to-date and continuous basis, aligned with best market practices.

Let’s better understand each of these points and how they can affect the maturity of your business in the long run.

1. Capacitation – don’t give the fish, teach how to fish

It may seem obvious that building your development team’s knowledge is an important part of Safe Development.

But it is important to remember that one of the best allies for this is to keep the practice of continuous training, so your team will be aligned with the news that may appear in the market and able to act even in cases that require a quick response.

After all, we know that the AppSec market is constantly changing and the search for improvement must always be present when we talk about Secure Development from the inside out.

Promoting the culture of Safe Development means allowing Developers access to constant learning, whether through theoretical training, hands-on, or even e-learning.

Keeping the training going on in a continuous way builds the mindset that the team has to keep its competencies always high, and this is independent of investments in other security validation modalities such as pentest, code review, and automated analysis tools.

2. Control and prevention is better than cure

Well, of course by now you know your organization can use AppSec Training to prevent risk and promote the security of your software.

After all, the application security industry should work mostly with training that prepares professionals to prevent “Black Hat” attacks rather than “White Hat” attacks.

This is because these malicious attackers are always one step ahead of security professionals, so it is very important that training takes place continuously and systematically.

In the current scenario, what we see is that the number of malicious attacks on companies remains high – and this is true even for companies that would have a considerable budget to invest in information security.

However, many companies continue to ignore the need to prepare in advance for these attacks, directing resources and efforts almost entirely to act reactively when needed.

This may mean an initial saving, but it can end up causing huge losses: and here, unfortunately, we are not just talking about the financial burden.

But all is not lost: we can see that as companies mature, more and more organizations realize the importance of anticipating these risks by acting preventively.

And one of the most effective ways to deal with this risk factor is by increasing specializing and empowering development teams so they can write codes in a more secure way.

This means, saving time and money in the security validations of the production software because security happens from the ground up.

3. AppSec Training Is Just the Beginning: A Path Revealed as you go

Conducting training aimed at achieving greater engagement and leverage by development teams can be the beginning of a strategy to have more and more security experts in your company.

These specialists can be referred to as Security Champions, as we mentioned above, and can greatly facilitate communication between Development Security teams within companies.

To build a culture of continual pursuit of knowledge and skill improvement, regular training helps to promote learning and encourage the mindset that AppSec is a constantly changing area.

Thus, it is important that the training curriculum involves different learning methodologies, always focused on the needs of your team.

One thing is for sure: the more specialized your team, the greater your demand for future training content.

And this will bring significant gains to the company’s maturity: get ready to rely on an increasingly strong team engaged in the application security community.

AppSec Training in a nutshell

From what we have covered in the previous topics, we can see that simply conducting standardized training will not always achieve the companies’ real goals of increasing their degree of security.

By choosing the most common training in the market, we can say that the result will inevitably be the opposite of the desired one.

That is, you get to an outdated knowledge or even without any adherence to the team.

And in this case, we can say that this is an investment that does not bring real benefit to your company.

So for the investment to be justified, conducting security training for development teams must be taken seriously, with proper strategic planning.

Conducting training should be viewed by companies as one of the best times to improve the process.

When you have the opportunity to put your team’s expertise to the test, it is precisely when your team most enriches its knowledge base and skills.

We understand that training should be planned and executed with the necessary care and always with very clear goals to be achieved.

Therefore, AppSec training can’t only be viewed as a step in a compliance process, it has to be viewed as a time for your team to evolve, which will clearly bring positive results for your products and services.


References for this article:

How important role specific developer security training

OWASP: SAMM – Education & Guidance

About author


Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Implementing a CI/CD Pipeline: Ensuring Software Quality and Security

In the current scenario of software development, speed and quality in application delivery are…
Read more
Application Security

Security Risk Management: Best Practices and Processes

Security risk management is a strategic process that involves identifying, assessing, and…
Read more
Application SecurityCode Fighters

How to integrate Semgrep on CI/CD's and send findings to Conviso Platform

Nowadays a very common practice is to integrate security scans during the continuous integration and…
Read more

Deixe um comentário