What makes modern secure coding training So sharpen developers their skills
Anyone who wants to code securely needs best practices and up-to-date knowledge. Although developers like to use the latter, they often regard training programs as a disruptive interruption to the actual work. Efrat Yahav, Customer Success Manager at Checkmarx, explains how interactive training and gamification can help.
Company on topic
Gamification is very suitable for exciting cybersecurity simulations.
(Picture: © artinspiring – stock.adobe.com)
Security-relevant vulnerabilities in software are not a blemish, but can cause massive damage to companies. So developers need to do everything in their power – and put all their skills and knowledge to the test – to develop safe products. This also means that you must have the right to stop insecure releases and point out security-related vulnerabilities of existing applications as soon as you encounter them. If you feel that you lack the necessary skills and qualifications to achieve this, the company must provide you with the opportunity to acquire this knowledge – usually in training and education.
The range of training courses and platforms in the field of secure coding is huge, ranging from classic frontal lessons to lengthy online presentations and interactive secure coding tournaments embedded in the daily lives of developers. At first glance, finding your way around this wide range is anything but easy. The following five aspects must be taken into account when selecting and implementing a modern application security and awareness program…
1. Avoid frontal lessons and boring online trainings
Anyone who has already had to take part in a mandatory online security training in the course of compliance checks knows how time-consuming and monotonous these courses can sometimes be. Often the participants only have to work through one presentation after the other. The next step is to answer a series of multiple-choice questions-all of which are designed to mislead the participants rather than actually test the level of knowledge.
2. Rely on compact and interactive sessions
Such trainings, which are all about checking off checklists, are not only useless, but also dangerous. But do we know how to do it better? Yes: With compact, easily digestible and interactive sessions instead of tedious and boring sessions. Thus, the participants repeatedly achieve small successes, which add up to a large and sustainable progress. For example, instead of working through an endless list of slides on XSS, you should present your team with small challenges within the development environment that show practical examples of how to protect yourself from XSS vulnerabilities. This makes learning and sticking to it fun, and the lessons stay stuck permanently.
3. Use the possibilities of gamification
Gamification refers to the application of game design elements and gaming principles outside the context of a game. The benefits of gamified training are well known: it is proven that we learn better and stay receptive for longer if we have fun while learning, follow a clever story and take an active role. Since developers spend most of their day in front of a screen and looking at lines of code, they value such casual and playful trainings far more than boring lessons. And gamification is also very suitable for exciting cybersecurity simulations, such as scenarios in which attackers exploit vulnerabilities and defenders have to close the gaps.
4. Convey knowledge always context-based
But classical frontal teaching is not only inefficient because it lacks playful elements. There is also a lack of context: as soon as you tear your devs out of the development environment, they break through the daily processes and make it difficult for you to recall concrete problems. The input should therefore always be provided where it is needed: when coding. Ideally, the training platform should automatically alert the developer to safety-related errors during programming, explain them in a short, playful training session, and then provide practical tips for fixing them.
5. Keep an eye on your AppSec awareness metrics!
When you invest in AppSec and awareness training, you also need to be aware at all times whether this investment is paying off – and whether the risk potential in the area of software security is actually decreasing. In order to ensure continuous improvement, it is important to accurately document the progress of your development teams and to constantly re-evaluate AppSec awareness. This allows you to know at any time whether and in which areas the developers still need further training, track progress and document it to management and avoid repeat errors.
Three simple steps to help you develop safer
1. Work with audited frameworks
2. Access Proven Crypto Libraries
3. Conduct security reviews regularly
Security is increasingly becoming an integral and automated part of software development, and the application security experts of many companies today work closely with the development departments to make their own applications more secure. At the same time, there may be discussions about who is responsible for application security in which sub-area. At its core, however, developers, app-sec experts, and DevOps leaders all know that security is ultimately a collaborative project that will only succeed if everyone involved pulls together. This includes ensuring compliance with secure coding practices throughout the SDLC – and up-to-date playful and context-based training approaches are a good way to set the course.
About the Author: Efrat Yahav is Customer Success Manager at Checkmarx.