AppSec Blog

Developer Security Awareness: What Topics To Cover

In our last post (Is Security Your Top Priority), we discussed improving the security of our organizations with security awareness training for development teams. Now let's talk about the security training we should provide.

What Topics To Cover

All team members have different knowledge levels of the various threats facing our applications. Some have received little or no application security training. Some may have taken a few courses in college that mentioned some common security issues. A few may have received in-depth application security training from a previous employer. The only way to guarantee everyone is on the same page is to establish a common baseline for all team members.

The first step is covering the fundamental aspects of application security. In this phase, introduce all team members to the attacker. Explaining who will be attacking their applications, along with their motivations, and introducing the attack methodology and the steps an attacker will take to compromise their applications will help them understand why security is important. By the end of this topic, everyone will understand the role they play in protecting the company's assets.

Next, cover the secure software development lifecycle. This is where security is integrated into the daily tasks handled by the development team. Introduce the development team to secure design techniques. Show them how integrating and automating security during construction and deployment will help secure their applications.

When everyone has a fundamental understanding of application security, focus on the different types of applications each team is responsible for. Ensure groups responsible for web applications understand the OWASP Top 10. Anyone working on mobile applications must take mobile security training. Be aware of emerging technologies, such as Cloud and HTML5, and ensure they are being adequately covered.

Finally, narrow the scope even further. Introduce the development team to platform-specific secure coding training. If mobile applications are being written using iOS and Android, make sure the development team understands how to use the security features provided in those frameworks. Address the other development teams supporting web sites using other platforms, such as Cold Fusion or PHP, in a separate training effort. This phase is best received if the platforms being covered are relevant to the audience.

This is a lot to cover, but no one said application security is easy. Taking the time and effort to cover these topics is the first step towards building secure software! In our final section, we will take a look at the different types of metrics that we can collect, and how they can help steer our security program.

Post a Comment


* Indicates a required field.