How Can You Get More from Your AppSec Education Program?

by Kurt Risley on November 9, 2018

Forbes recently published an article titled “The Cybersecurity Talent Gap Is An Industry Crisis” – and without question, there’s a real lack of cybersecurity talent. Cybersecurity Ventures predicts about 3.5 million unfilled cybersecurity job openings by 2021! The need for cybersec talent is undeniable. According to Gemalto, data breaches compromised 4.5 billion records in just the first half of 2018. The need is great, but will filling the cybersecurity workforce gap alone resolve the issue?

I’ve learned from many hundreds of secure development software deployments and firmly believe that rolling out secure development education at scale can help, especially when you have good application security testing tools. Effective tools, integrated throughout the SDLC, are extremely important for detecting issues early in the SDLC, but the results they return need to be reviewed and remediated by your security and development teams. To do that effectively, your teams need an AppSec education program.

Building an AppSec Education Program

Developer training is the foundation of a robust AppSec program, and part of that is promoting an AppSec-aware culture within your organization. The people building and testing software in your organization need to be aligned on what good security looks like and what it means for them. That kind of alignment requires your organization to be committed to security as a whole, so it must be part of your company culture as a whole.

Your developers can’t protect against what they don’t know exists, and the rapidly changing nature of security vulnerabilities presents a problem if you don’t have AppSec education in place. Ongoing training, education and awareness helps them learn how to spot and fix emerging security vulnerabilities. You need to train all your developers to a strong, consistent baseline. They’ll be more effective if they are aware of the latest vulnerabilities and the techniques hackers are using to compromise applications. When they have this level of education, you’ve effectively empowered your developers to be part of the cybersecurity talent you need.

Sponsorships Available

Creating an Effective Secure Development Training Program

Empowering your developers sounds great, but how can you make them actually participate in your AppSec education program? It’s a fair question. Most developers hate watching Flash videos. They don’t want to watch something that’s not relevant, isn’t appropriate for their programming languages, and takes them away from their coding time but doesn’t return any value. It’s essential to make their training fun and time effective. They need training that enables them to interact with real-world vulnerable environments so they can see and understand the most common security threats affecting applications. Make it fun by adding gamification, so you can tap into their competitive spirit.

Another critical step is to make your AppSec education program mandatory across your organization. When it’s simply part of how you run your business, you reduce onboarding and adoption friction from different teams within your organization. If everyone does it, it really does change the culture of security within your teams. And when you made it mandatory, make sure you’ve also built in ways to effectively measure and monitor how and who is using your education program. It doesn’t matter if you have an AppSec education program if no one’s participating.

Start Security Training for Your Developers Now

As DevOps becomes the most common approach to building and operating in today’s business environment, our software developers need effective training. Yet a recent survey showed 70% of developers said they are not receiving necessary training to be successful. Security training empowers your developers, while saving your organization time and money. Remediation costs for issues found using dynamic analysis can be over 10,000 times the cost had those bugs been identified in the early coding stages. Not sure how to start? Watch this recent webinar on how you can get more from your AppSec education program or learn more about CxCodebashing, our in-context, on-demand application security training.

Kurt Risley

Kurt Risley brings 20+ years of Enterprise Software experience with numerous roles from Consultant, to Architect, to Pre-Sales, Sales and Leadership. Kurt’s focus at Checkmarx is oversight of all aspects of Codebashing e-Learning solution for North America.