What do developers want and need from secure coding training?

Hands closeup of person typing - securing coding training
(Image credit: Shutterstock)

Cybersecurity is increasingly becoming integrated into software development initiatives. As part of this, application security (AppSec) specialists often work closely with software development teams to improve security within the applications they create. However, there is still confusion about the role developers play in software security, and whether responsibility for it should rest solely on their shoulders.

About the author

Carsten Huth is Technical Account Manager Team Leader at Checkmarx.

The best way for companies to avoid confusion and address secure coding practices head on is to acknowledge inconsistencies exist, and from there, apply a modern approach to developer AppSec awareness and training across the board. Here’s how.

Understanding the developer perspective

The vast majority of developers today want to create more-secure code. In fact, recent research found that when developers were asked about the skills they prioritized learning or improving most during the pandemic, the top response was AppSec / secure coding (46%). Whether due to competitiveness amongst peers, a heightened sense of responsibility, or even a personal desire for perfection, they readily acknowledge security training is imperative to the work they do. However, it isn’t something they often let impact their primary objective – to develop and deliver feature-packed software at speed – which is where issues emerge.

The vast majority of today’s developers is measured by the speed of delivering workable code, not by the amount of security vulnerabilities contained within it. This means that, although they’re aware of the need to deliver bug-free code, with most putting effort in to do just that, cumbersome secure coding education solutions which slow developers down and aren’t deemed necessary to daily duties. Some likely even consider them a nuisance.

To ensure the delivery of secure code, team leaders must begin treating security vulnerabilities as seriously as they do coding bugs. This will establish the importance of secure coding among teams, allowing organizations to then implement a programmatic approach to AppSec awareness and training.

Training in practice

Video tutorials, lectures, slide decks, periodic classroom training, and mandatory online courses are all standard approaches to AppSec training, yet they often fail to actually help, or retain the attention of, developers. That’s because these approaches are generally treated as boxes that need to be checked on a to-do list, and not as vitally important tools for securing an application.

Training and development to change this mindset needs to be easily accessible, relevant, and immediately actionable, instead of just a means of delivering information to instill knowledge. Learning occurs best when training is targeted to a specific set of behaviors or skills and is delivered in a real-time context relevant to the learner. Businesses must do better here to ensure delivery is in a style that best suits developers and the various ways they enjoy absorbing information.

Effective AppSec awareness and training programs should also harness all of the benefits modern technology afford us. Much in the same way an engaging mobile app can influence the behavior of users, the foundation for efficient secure coding practices can be rooted in gaming principles and technology-driven traits that keep users engaged long-term.

Organizations looking to exploit this should use stories and examples. This enables participants to feel directly and emotionally involved with the content, improving retention. This level of interactivity might also result in developers paying more attention, yielding a higher chance of learning and retaining information – important when considering many people learn more effectively by doing and experiencing, rather than just by hearing or seeing.

Finally, using short content, which is precise and to the point, eliminates irrelevant information, and increases the likelihood of engagement. Given time is a precious resource for developers, the briefer the better.

Periodic assessments

It’s vital that an organization's AppSec awareness metrics are always on the rise too. After all, what’s the point of investing in awareness and training solutions if they don’t reduce software security risks? To ensure this is the case, organizations need to closely monitor the progress of development teams. Continuous improvement is the desired result, and to achieve this, organizations need to periodically assess the current state of their developers’ security mindset.

An easy way to measure secure coding skills is to use assessments that take 10-15 minutes to complete and can be assigned to individuals or teams. These can be used to establish a clear baseline allowing organizations to see the impact of training over time, identify knowledge gaps and nurture those who require more training. A key goal of assessments is to determine if developers need more training, identify areas of weakness, measure and report on improvements, and finally, reduce repetitive coding errors.

Taking responsibility

The stark reality is that despite most organizations wanting to increase security awareness amongst their employees, many don’t know where to begin. With AppSec ownership continuing its gradual shift from IT to DevOps, securing the development pipeline is a skill developers must learn.

Moreover, the same survey as referenced before discovered that over half (55%) of developers had taken on ‘somewhat’ or ‘significantly more’ application security responsibility over the past year. This makes it even more important for businesses to ensure developers are being supported with necessary training. Doing so will drive true change in the way developers and DevOps teams think about security.

Final thoughts

By following these recommendations and ensuring developers receive the appropriate AppSec training both as a priority and in a way in which they can truly engage and learn, organizations can stay one step ahead of constantly evolving threat actors, and ensure that more secure software applications are being released.

Carsten Huth

Carsten Huth is Technical Account Manager Team Leader at Checkmarx.