The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced the launch of a new community resource for software security training and released its first set of free online security engineering training courses.  The program aims to help address gaps in security engineering knowledge among the software engineering workforce, a key challenge facing organizations working to improve software security.
 
Security engineering training by SAFECode is a new online community resource offering free security training courses delivered via on-demand webcasts. Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. SAFECode intends to add additional courses and resources to the site, including training program implementation advice based on the real-world experiences of SAFECode members, with the goal of creating an accessible and practical industry resource to support and promote software security training.
 
The collective experience of SAFECode’s member companies has shown that software security is most successful when it is treated as a process that reflects an individual company’s culture and unique development needs. Supporting this process through software security training is essential. In fact, an analysis of software security programs of SAFECode members revealed that each successful effort included internally developed security engineering training directed at those responsible for the development of the software they produce, including product managers, project managers, architects/designers, developers, and testers.  Building on this observation, SAFECode’s new training program is designed to support the training framework outlined in its earlier paper, Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development.
 
“Ensuring that everyone touching the product development lifecycle has the knowledge they need to support an organization’s software security process is a fundamental challenge for any organization committed to software security success. While SAFECode’s analysis has shown that security training is most effective when aligned to an organization’s unique culture and security development process, we recognize that not every organization has the resources required to develop custom training,” said Howard A. Schmidt, Executive Director of SAFECode. “This seemed an obvious area where SAFECode members could use their internal resources to make a positive industry impact. By providing free training courses in a modular fashion, we hope other organizations can pick and choose the ones most relevant to their needs to either supplement an existing program or build the foundation for a new one.”
 
The initial set of courses released today covers introductory level topics and are based on training materials donated to SAFECode by Adobe after successful use in its software security program. A team of technical contributors from the SAFECode member companies reviewed and supplemented the course materials to ensure broad applicability across diverse development environments. Additional courses are already in the review process and will be added to the site on an ongoing basis. It is SAFECode’s goal to create a diverse catalog of security engineering training courses for all expertise levels as a community resource. In that spirit, comments on the course materials are encouraged so that the program and its materials can be evolved over time to best meet the needs of the community it aims to serve.
 
“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs,” said Schmidt. “While not a replacement for formal security engineering education at the college and university level, nor a one-sized fits all curriculum, SAFECode hopes that this new program is a step forward in addressing that knowledge gap and promoting the broad application of secure development practices.”
 
Visit https://training.safecode.org today to learn more about the program and participate in its free courses.  To learn more about SAFECode and SAFECode membership, as well as additional training benefits available to SAFECode members, please visit www.safecode.org.