AppSec Blog

Developer Security Awareness: How To Measure

In the previous post (What Topics To Cover), we laid the foundation for your developer security awareness-training program. Now let's talk about the metrics we can collect to help improve our program.

It's all about the metrics

As we previously mentioned, establishing a common baseline for the entire development team would be helpful. A comprehensive application security assessment should be performed before awareness training begins. For example, the SANS Software Security team has a free web based security assessment knowledge check: A knowledge check such as this allows you to create a baseline, establish core strengths and weaknesses, and steer the types of training to be provided.

As the awareness training takes place, knowledge checks are helpful at the end of each module along the way. These short quizzes ensure each student understands the topic that was presented and provides immediate feedback with any problem areas. The organization can use these metrics to track each team member's progress and understanding along the way. Reports can be generated from this data to show how things are moving along, and even used for employee reviews.

The final step is to repeat the comprehensive security assessment again. This time use a similar exam with different questions covering the same topics. Ideally, the results will show improvement from the original baseline. Doing so will prove the effectiveness of our developer awareness program, and guarantee our funding as we onboard additional team members. Most importantly, the knowledge gained from the training program will help protect your organization with secure software moving forward.

We hope this series has helped form a vision for your developer security training. For more information, check out the SANS Securing The Human Developer program:

About The Author

Eric Johnson (@emjohn20) is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.


Posted April 14, 2015 at 12:15 AM | Permalink | Reply

Ryan King

The link to the SANS assessment tool talks about it being in development. Any idea when it will be available for prime time? Also, any knowledge of any other tools of the sort in either web based or static format? I'm on the verge of rolling out STH.Developer and would like to perform before and after assessments, but am looking for some resources to help me get started on building that survey.

Posted May 8, 2015 at 4:25 PM | Permalink | Reply

Eric Johnson

@Ryan ''" Thanks for your question. To my knowledge, the AppSec Cyber Talent assessment is scheduled to be completed in the Fall. More roll out details can be obtained by contacting

Post a Comment


* Indicates a required field.