How to Get the Most Out of Security Training Programs for Developers

 

D4.1 First report on training activities, presentation of the results of past events and detailed planning of upcoming events - ENLIGHT'EM

 

We have all been involved in many training sessions in our careers. Sometimes willingly and sometimes not.

Let’s try to remember when those sessions had our full attention.

Without exception, it was when there was truly something in it for us. 

Before we decide that a training session is worth our time, effort and attention, it needs to meet at least one of the following requirements.

  • To satisfy our curiosity in a subject we are interested in.
  • To remove a barrier that is standing in the way of advancing in our careers or education.

Software engineers also go through the same process in their minds before they decide if there is something in it for them.

Without personal interest in the subject or some sort of personal benefit, training sessions are destined to be items to check off on the to-do list of developers without resulting in the change we aim for.

40 Don't Care Memes For When You Just Need to Be Yourself | SayingImages.com

Relating to curiosity, despite there has been some improvement in the last few years, it is still quite rare to see software developers willingly put time and effort into learning secure coding practices.

Even though this is very likely to change as the definition of a good software developer changes over time and secure coding practices become the must-have qualities rather than the nice to have.

However we are not there yet and until they grow curiosity, it falls on the shoulders of companies to make them feel they are removing a barrier for themselves by applying secure coding practices. But how?

There are two things we can do to create that sense of urgency to write more secure code.

First, we need a rewarding mechanism to reward good performers.

Second, for those that are not motivated by rewards, we need to create barriers so that they start working towards removing them.

Apparently, if we can not distinguish between good and performers there is no point in starting such an initiative.

Without a fair and objective measurement system, accountability rarely ends up well and mostly results in a deteriorated feeling of fairness which is totally detrimental to any company culture.

When we are confident that we can provide indisputable and objective feedback to our developers relating to their secure coding performance, we can go ahead and announce it as an integral part of our performance assessment system.

In the short run, those that are willing to immediately stand out in the crowd and advance in their careers will be triggered by the reward.

For others, the barrier will become obvious after a few performance assessment periods and they will be more willing to remove that barrier.

With managers starting to provide feedback based on hard data, security awareness among developers will be improved 

Identifying the types of vulnerabilities they individually create and showing them their mistakes will inevitably change the way they approach security.

Fostering this approach with customized training programs tailored to their needs will create a sense of belonging and proof that you truly care about their self-development while you comply with company procedures.

At Kondukto, we help our customers access this invaluable data they need to identify the needs of their developers. 

While this data allows for creating tickets assigned to developers who created vulnerabilities in the first place to speed up the remediation process, it also helps to create the environment to move security up the ladder of priorities of developers.

Thanks to our integration with online training platforms, we also help to assign training to developers on the platform with a single click.

We are well aware that behavior changes do not happen overnight but the data we provide becomes an integral element in changing the security culture over time and in the long run you may hear developers talking about security in their internal discussions. Just like you always wanted.