Application Security Weekly (Audio)
The Psychology of Training - Matias Madou - ASW Vault
Wed Jul 05 2023Description
This episode covers the importance of a good security culture, effective ways to address security, evaluating the effectiveness of security programs, promoting secure coding practices, effective training strategies, and creating developer-friendly solutions. Topics include the need for relevant and interactive content, the role of security champions, measuring the impact of training, focusing on one vulnerability at a time, convincing management teams to invest in security, aligning training with organizational resources, and embedding knowledge into development environments.
Insights
Developers need relevant and interactive content
To effectively learn about secure coding, developers require content that is relevant, interactive, and brief.
Security champions can promote secure coding practices
Having security champions within development teams can be beneficial for promoting secure coding practices.
Measuring the impact of training on code security is challenging
Quantifying the impact of training on code security can be challenging, but some companies use scans before and after training to measure improvements.
Focusing on one vulnerability at a time can be more effective
Addressing one vulnerability at a time can be more effective than trying to tackle multiple issues simultaneously.
Training should go beyond compliance requirements
Training should focus on practical skills and knowledge that help developers improve security, rather than just meeting compliance requirements.
Sharing information in a developer-friendly manner is crucial for effective training
To ensure effective training, information should be shared in a way that is accessible and convenient for developers.
Embedding knowledge into development environments is more effective than relying on documentation
Embedding knowledge into development environments, such as IDEs and CI/CD tools, is more effective than relying solely on documentation.
Creating developer-friendly solutions is crucial
Security vendors and the security community should focus on creating solutions that are accessible and developer-friendly.
Developers should be supported on a day-to-day basis
Developers should receive ongoing coaching and assistance in writing secure code to ensure continuous improvement.
A good security culture requires more than teaching tools
A good security culture involves more than just providing tools for secure coding; it requires a comprehensive approach.
Chapters
- A Good Security Culture
- Effective Ways to Address Security
- Evaluating the Effectiveness of Security Programs
- Promoting Secure Coding Practices
- Effective Training Strategies
- Creating Developer-Friendly Solutions
A Good Security Culture
00:02 - 07:27
- A good security culture requires more than teaching tools
- Developers need relevant, interactive, and brief content to learn about secure coding
- Creating successful security champions programs is a challenge
- Metrics are needed to measure the success of security culture
- Developers do care about security if they are taught how to create secure software
- University education often lacks focus on writing secure code
- Secure coding means considering the unintended functionality that can have security implications
- Application security ensures that the intended functionality is present without additional functionality with security implications
- Secure coding encompasses syntax errors, architecture, and API contracts
Effective Ways to Address Security
07:01 - 14:11
- Secure coding involves not only syntax errors but also considerations of architecture and API contracts.
- Design changes can help prevent certain mistakes, but legacy systems often require working with existing code.
- The ratio of application security personnel to developers is typically low, so finding effective ways to address security is crucial.
- Understanding the population of developers in an organization and their level of security awareness is important for implementing effective security measures.
- Having security champions within development teams can be beneficial for promoting secure coding practices.
- Training can be an effective way to upskill developers and improve code security before implementing SaaS solutions or automation tools.
- Quantifying the impact of training on code security can be challenging, but some companies use scans before and after training to measure improvements.
Evaluating the Effectiveness of Security Programs
13:47 - 20:42
- Companies often use a combination of scanning and training to improve security.
- However, it's important to consider other factors beyond just scanning and training to evaluate the effectiveness of a program.
- Focusing on one vulnerability at a time can be more effective than trying to address multiple issues simultaneously.
- Measuring success by determining if a specific vulnerability still exists after training is a binary approach.
- Training programs may initially lead to an increase in reported problems as developers become more aware of security issues.
- A security culture should involve both top-down and bottom-up approaches, with everyone understanding the importance of secure code.
- The goal of an application security team should be shipping reliable code, not just finding vulnerabilities.
- Having one security champion is not enough; organizations need general awareness among developers about secure coding patterns.
- Creating a foundation with defined coding patterns can help ensure the development of secure code.
Promoting Secure Coding Practices
20:21 - 27:27
- Creating a foundation for everyone to have a minimum capacity and knowledge of code security
- Management teams often expect immediate results from setting up an AppSec team, but it's important to have realistic expectations
- Finding ways to create time for dev teams to prioritize security training
- Some teams only do compliance training as a checkbox exercise, which is not effective
- Convincing management teams to invest in security can be done by showing the potential risks and vulnerabilities in their own tech stack
- Demand for security solutions has increased, and there is less need to educate management teams about application security problems
- Despite the growing interest, many people still struggle with getting their management teams to take security seriously
- Training should go beyond compliance requirements and focus on practical skills and knowledge that help developers improve security
- In the past, static analysis vendors offered training programs, but they were often basic and focused on remediation rather than comprehensive understanding
Effective Training Strategies
26:57 - 33:53
- Static analysis vendors used to have training programs, but they were not effective because they were too general and not language or framework specific.
- Training should be aligned with the organization's code, tech stack, and internal resources.
- Training should be focused on creating good habits and balancing knowledge and behavior.
- Sharing information in a way that is accessible to developers is crucial for effective training.
- Throwing more information at developers is not the solution; it needs to be where they already are.
- The future of training will involve more sharing of information in a developer-friendly manner.
Creating Developer-Friendly Solutions
33:27 - 34:53
- Security vendors and the security community need to create solutions that are accessible to developers.
- Sharing knowledge within organizations is crucial, especially when developers leave.
- Embedding knowledge into the development environment, such as IDEs and CI/CD tools, is more effective than relying on documentation.
- Capturing custom rules and recipes in a more innovative way can lead to significant changes in the next five to ten years.
- Developers should be supported on a day-to-day basis with coaching and assistance in writing secure code.