But the developer role is already stretched so thin and many developers don’t have a background in security. How can you get developers up to speed on security measures in an engaging manner that doesn’t add too much extra work? And how can you ensure that your developers are successfully implementing the security learnings?
Leveraging findings from a recent Enterprise Strategy Group report, Modern Application Development Security, and tips from our Director of Development Enablement, Fletcher Heisler, we were able to establish a list of best practices to follow when training developers in security.
Make security training a real requirement. Developers are very busy. If they’re not required to take secure coding training, it’s highly unlikely that they will. So, make it part of their goals. And to ensure that they’re paying attention to the trainings, consider adding knowledge checks.
Make sure the training is relevant and engaging. As Fletcher states in Four Fundamentals of Education The Sticks, use training tool like Security Labs that “bring magic, adventure, and exploration back to security so that developers can actually explore when something goes wrong.” And make sure the examples are relevant to the developer’s day-to-day work. The more realistic, the more serious they take the training.
Measure the effectiveness of the training. Don’t just assume that developer training is working, track it. To ensure that your developers are implementing the learnings from their security training, you should track both issue introduction and continuous improvement metrics for both scrum teams and individual developers. By keeping track of these metrics, you can tailor future security trainings toward areas of weakness. [As you can see in the chart below from Enterprise Strategy Group, only 41 percent of organizations are tracking the continuous improvement of development teams.]
Offer a mix of training types. Not everyone learns the same way. Some developers might prefer instructor-led courses while others might like on-demand courses or hands-on training tools. It’s also important to keep in mind that developers likely have different levels of security knowledge. A new developer might need an introductory course to secure code training while a more experienced developer might benefit from a more technical course.
Implement a security champions program. Many organizations benefit from implementing a security champions program. To start a security champions program, select interested volunteers from each development team and give them extra tools and training needed to be security experts on their scrum teams. They’ll be able to pass along their additional security skills to peers on their team.
In fact, our customer Advantasure was able to train over 600 developers by implementing a security champions program. The security champions became security ambassadors on their scrum teams, making sure everyone was up-to-speed on their secure coding courses.
Keep these best practices top of mind by downloading our printer-friendly checklist, The Top 5 Best Practices for Developer Training.