In 2020, Conviso surveyed companies from all over Brazil to understand what the local AppSec market was like at the time. The data collected showed us that the greatest difficulty was to switch the culture into one that prioritizes building secure applications, as well as investing in appsec training in development teams instead of investing only in security tests.
But over the last few years, has the Brazilian market become more aware of the necessity of investing in AppSec training?
And in your organization – is there already a culture of continuous development in this sector? In this interview, the tech lead of the Consulting team at Conviso, Rodrigo Maués, tells about the changes he has witnessed over the six years he has been working and providing training in companies on behalf of Conviso, to raise awareness of the AppSec culture.
This is the first of a series of interviews that we will do with our experts to show you, our blog reader, a little more about the daily life of those who work in AppSec.
In your nearly six years at Conviso, do you feel that there has been a change or maturity in the market concerning capabilities in secure development?
Yes, we’ve seen a lot of change. In the beginning, it was difficult to show the importance of secure practices, as well as to make the development teams understand that it is important to look at the development process and seek to improve how we build code so that a safer application can be delivered. Now we have improved a little, even because we were “forced” to do so, in a way. But companies, and especially development teams, are beginning to understand that it is better, cheaper, and less laborious to act correctly in development.
At Conviso, we have noticed this with the increase in training and the consulting services we have, where in addition to showing good development practices, we help our customers to build a more structured development process, or even implement a Security Champions program.
During the training developed by Conviso, what do you feel is the biggest challenge faced by devs, and by security teams in the AppSec market today?
I still understand that the biggest challenge is still changing the culture to a more robust and structured process. In addition, we still find development teams with a quite shallow understanding of basic security concepts. But we will be able to transform this scenario!
What surprises you the most in these situations?
I see both things happening with every training session. I am surprised by the lack of basic knowledge of study sources that have been on the market for more than 15 years and remain unknown to the vast majority. But I was also positively surprised when we closed the training, I saw that they were curious and started to ask questions about more content, and more references. This shows that we were able to achieve one of our goals: to stimulate curiosity.
Do you feel that there is already a culture of constant training on the part of security professionals?
In a few companies, yes, but unfortunately many leave it to invest in times of crisis, or even when they need to comply with an audit and/or compliance observation.
What is missing for the market to acquire a mindset focused on constant training in AppSec?
I believe this will happen. When today’s training starts to show that the result for the application is positive, this key changes, and we will see companies much more focused on preparing their development teams. Capacity building and training are already important points, but when this becomes financial gain, it gains importance and traction.
And the security champion’s role is already well understood/widespread in the market?
Not yet. But we are clear that this figure is still relatively recent, and the role of Security Champion needs to be introduced more and more to the companies. The term we have already seen appears in many places, but we still need to help in understanding its roles, responsibilities, and how it is formed. In a way, we still have this difficulty in the market, there is a lot of misunderstanding. As with other concepts.
Speaking of materials for training – how does it work at Conviso? How is this material developed?
We always try to be up to date with the topics, but I understand that the best teaching approach is still the presentation and formation of basic concepts. Focusing on concepts, for me, is the best way to generate knowledge. We have basic training in Secure Development, and it is common at the beginning of the training for students to think that we are going to spend all our time working on code – often students don’t even understand a development process.
What are your tips for professionals facing difficulties establishing a study routine?
The first point is to understand that studying is not just taking classes. We study all the time when we read an article, when we watch a short video, or even when we read excerpts from books explaining a point we don’t understand. We study whenever we seek to understand something. But what we also need to do is generate knowledge, discuss what we learn with others, and share what we learn – that’s how we generate knowledge. When the professional realizes this, he will stop worrying about separating “x” hours for study and will understand that he is studying all the time! But yes, it is still very important to have a structure, but not be limited to it.