A DevSecOps strategy won’t work if developers haven’t bought into the movement. CA Veracode held a virtual summit on Assembling the Pieces of the DevSecOps Puzzle yesterday to talk about the importance of developer security training in a DevOps environment.
According to Sonali Shah, VP of product management and marketing for CA Veracode, while the threat of security is growing every day, security resources are scarce and there will be a shortage of 2 million cybersecurity experts by 2019. In addition, hiring experts is costly and time consuming. In order to close the gap, companies need to utilize their development teams to own security.
“Developer training is the key to breaking the cycle,” said Maria Loughlin, senior VP of engineering at CA Veracode.
However, the problem is that since developers never had to worry about security, they were never trained on it. In a recent report, CA Veracode found 86 percent of organizations don’t spend enough on application security training, 76 percent are not required to take a course on application security in college, and 68 percent of organizations don’t provide any form of application security training. This lack of awareness or understanding can cause a barrier to DevSecOps because developers don’t know how to develop secure code, and they often view security as a burden.
RELATED CONTENT: DevSecOps: Baking security into development
According to Loughlin, the company’s scan data has found that when developers were provided eLearning opportunities, there was a 19 percent improvement in fix rates. Also, applying remediation coaching resulted in a 88 percent improved fix rate.
In order to raise the baseline of developer security knowledge, Loughlin suggested organizations provide broad training across the board. Every developer needs to understand application security principles, she explained, so training should cover multiple aspects of security such as: authentication, authorization, trust boundaries, data protection, session management and threat models. The goal of the training is to make developers aware of how they can be proactive when they are developing new code.
Once the basics are covered, Loughlin says organizations can more into more specialized training such as role-specific training or technology focused training.
Lastly, organizations should always be thinking about on the job training because security is a never ending process. This includes secure code reviews, feedback in the developer’s IDE and ongoing mentoring and learning.
But, in order for any of these best practices to make a difference, Loughlin said businesses need to have buy in from the top, focus on what matters, make teams accountable, measure, adapt and improve. Security training takes time and requires a budget, so companies need to start small, grow, make training relevant, align training with goals, make it actionable, and learn from their own experiences.
Loughlin also noted that while all developers should get a basic understanding of application security, organizations need to train for different levels of experience. Not everyone is going to be security professionals. Developers will range from knowledgeable team members, security champions and security professionals.
According to Shah, security champions play a large role in DevSecOps. A security champion is a person on the development team who receives training and acts as the eyes and ears of the security team while representing the needs of the development team. Organizations can’t force developers to become security champions, Shah explained, they need to volunteer and be eager to learn. Security champions will also work as part of the product management team by helping to define done criteria and providing better alignment early on.
To build a successful security champion program, organizations need to set goals, recruit a team, clearly explain how success is going to be measured, and reward members. “A security champion is a product champion,” Shah said. “[Because] a good product is a secure product.”
Other ways Veracode has found developers and security can work together is by not using security jargon, not rolling out any changes without notifying team members or giving advice, providing guidance, offering solutions, and building a relationship.