All secure software development methodologies emphasize cyber security training. Let's see why and how to do it.

The most cost-efficient way to secure a software product is to adopt secure coding practices. All secure development methodologies emphasize the necessity of cyber security training to achieve this.

• In BSIMM, the Training practice within the Governance domain has 12 activities dedicated to training developers in software security.
• In OWASP SAMM, the Training and Awareness and Organization and Culture streams of the Education & Guidance practice each have three activities dedicated to educating software developers.
• In MS SDL, Practice #1 is to provide training to everyone involved in development to help with software security.

In all cases, the end goal is to secure the software product. So, what does ‘cyber security training’ mean in practice?

What do you need to know?

The basic tasks to be performed during the Software Development Life Cycle (SDLC) are management, design, coding, testing and deployment. Let’s also consider an additional role, security, to represent the security experts at the company – this is called the SSG (Software Security Group) in BSIMM. Depending on the development methodology in use at the company, some of these may be more emphasized than others and developers may be wearing multiple hats at the same time. Since both BSIMM and SAMM not only stress the importance of cyber security training, but also role-specific training tracks, let’s look at the roles separately:

• Managers should be aware of the governance aspects of secure software development (e.g. incident response) and should also study the planning of security requirements.
• Designers should learn about security requirement specification, vulnerability management, threat modeling and risk assessment.
• Coders should learn about software security concepts and secure coding practices as well as finding and fixing common security vulnerabilities that are relevant for the programming language and technologies they use.
• Testers should learn about security testing concepts and tools, security-focused code review techniques, and methods to find common security vulnerabilities in a program.
• Deployment personnel should know about automated security tools and their integration into CI/CD, system hardening, and best practices.
• Security personnel should be knowledgeable about reviewing and auditing architecture, design and code for security-relevant issues. Unlike testers, security personnel tend to be separate from the development team, and thus better suited for a penetration testing approach.

How can you know it?

Cyber security training can be delivered in many different ways ranging from traditional classroom models to remote classes. Of course, internal resources are just as important. Developers can learn effectively from internal documents and a regularly updated knowledgebase of security issues specific to the technologies used by the company. In addition to this they can be coached on certain aspects of software security by experts from the SSG, and participate in company-organized security events or challenges.

And of course, everyone at the company – not just developers! – should undergo cyber awareness training to understand cyber security issues and their importance.

Cyber security training is a process, not a checkbox

Software security is a constantly changing landscape. Many of the skills and best practices are universal, but new technologies – and by consequence, new vulnerabilities, exploits, and countermeasures – pop up all the time. Web security is a good example of this, but even in embedded development there are going to be regular changes to the status quo.

The way to tackle this challenge is through continuous learning – a buzzword, sure, but also unavoidable in the security arena. It can be achieved by regularly sending developers on refresher courses (BSIMM suggests annual refreshers), but a potentially better solution is to raise their curiosity about the topic enough that they will seek out new knowledge of their own.

That said, this curiosity isn’t likely to pop up by itself. It has to be sparked and cultivated, which is why focusing on each developer’s learning journey – as opposed to just the topics covered in a cyber security training course – is so important. Our gamified lab environment at Cydrill was designed for this model: even after the training is over, developers can sign up for our e-learning platform and receive new hands-on lab exercises every month to help with continued practice and retention. A continuous learning license is available as a follow-up after all of our courses.