Inspire your Developers with Next-gen Cyber Security Training:Teach Secure Coding Practices through Hands-on Exercises!

In the modern techno-business milieu, organisations all over the world are grappling with a number of challenges – not the least of which is an ever-expanding threat landscape. To mitigate the perils posed by smart cybercriminals with nefarious intentions and armed with smart tools, organisations need a robust defence strategy. Without it, they endanger the security and integrity of their systems and applications, which not only affects their business continuity but also risks pushing them into obsolescence. And one of the key activities in this defence strategy is – or should be – the development of secure software. Secure software is a crucial element of organisations’ business toolkits for these reasons:

First, to ensure compliance with industry standards and regulations that prescribe organisation-led security testing and training for developers.

Second, to keep costs down. In general, security bugs in software tend to increase over successive stages of the Software Development Lifecycle (SDLC). Fixing these bugs later increases the cost and slows down development, without guaranteeing that every vulnerability will be found – much less fixed. Naturally, a more efficient way to reduce security issues is to prevent them in the first place. But if this is not possible, catching and remediating bugs in earlier stages (or as early as possible) is the next-best way to minimise errors and keep costs down.

Third, in recent years, Data Protection and Privacy regulators have imposed substantial fines on organisations that have suffered data breaches. In addition to the financial impact, the subsequent reputational damage from such events can also be life-altering for an affected organisation. 

For all these reasons, most companies, especially those operating in regulated sectors, are offering at least some kind of cyber security training to their developers and technologists. Unfortunately, their training approach is usually old-fashioned and rife with challenges. As a result, their software is still affected by vulnerabilities that are 20-something years old. Since developers are not born knowing how to code securely, and the training that’s provided is often inadequate or outdated, these decades-old security vulnerabilities remain out there, affecting the software’s quality and real-world applicability.

Usually, Secure Coding training is delivered either in-class or as computer-based remote training.

In-class training is led by an instructor who typically teaches secure coding concepts in a “lab” environment with hands-on examples that candidates can play with. This is a very effective approach, but unfortunately, is very expensive both in terms of cost and time away from work. That’s why most organisations deliberately make in-class security training a one-time event, with no further refreshers, which are very important in the context of learning retention.

Computer-based training (CBT) is usually delivered remotely and on-demand. It can be gamified, and scales well for large companies where it’s not possible to send thousands of developers to “class”. However, it does not provide hands-on, real-world examples, so it’s effectiveness in practical coding environments is severely limited. Moreover, CBT rarely covers the complexities of today’s technology with in-depth or up-to-date explanations. Finally, it's very difficult for the organisation to assess developers’ post-training competency in secure coding since the assessment is usually done through multiple choice questions that are unable to effectively gauge their learning progress.

What about the need for secure coding from a developer’s or software engineer’s perspective?

There are already plenty of good articles out there about why it’s important for developers to take security seriously. These reasons range from benefits to the organisations they work for, as well as personal benefits, such as:

• Help them avoid becoming a victim of cybercriminals and security breaches
• Reduce their workload by minimising the number of errors they need to fix
• Develop a reputation for work excellence and professional reliability
• Gain the respect of colleagues and organisational leadership
• Build a rewarding long-term career

Most developers and technologists know all of this already.

And yet, one question remains: how? Let me explain.

Developers are often already under tremendous pressure to deliver new features quickly, or to fix existing bugs. Both kinds of tasks are usually based on deadlines that are often outside their (or the organisation’s) control. In the midst of such challenges, the key question organisations grapple with is: How do we get software engineers to take security more seriously? Furthermore, how do we get them to care enough to upgrade their knowledge on a regular basis?  

Now, if psychologists have shown us one thing, it’s that when we care, we act. So, organisations that care about their security profiles, and about their development team’s competence and reputations – which are all inseparably-linked goals – take the necessary actions to achieve these goals. And one such action is teaching them secure coding practices through hands-on exercises.

Teaching Secure Coding Practices through “Hands-on” Exercises

Combining the best features of in-class training, i.e. real-world examples and hands-on practices, with the convenience of CBT, i.e. fully remote delivery, on-demand availability, empowers organisations like yours to scale up their training programme, and make it more effective. And this is very much possible – if you know how.

There’s a new way to teach developers modern secure coding practices through 100% hands-on exercises. Developers learn defensive programming based on real-world vulnerabilities and famous breaches. This allows you to embed security right from the start of your SDLC. It also reduces the time and resources needed to address security fixes later, and saves everyone a lot of grief in the bargain. 

With this new approach, each developer gets a dedicated desktop that’s created on-demand in just a few seconds. This fully-configured “Integrated Development Environment” (IDE) can be easily accessed through the familiar web browser. No additional software needs to be installed. In this desktop, the code of each exercise can be selected by the developer to give them enhanced control over their learning process. Developers can have a go at exploiting vulnerabilities in a safe and isolated environment, and then remediate each security issue by coding it in the IDE. They also use the same tools and technologies they already use at the workplace, so they can learn in a familiar yet highly-immersive learning environment. For instance, if they select a Java exercise, they will get a Java Development Environment, but if they choose .NET exercise, they will get a different stack. 

The objective is to bring training so close to developers that the experience becomes pleasant and interactive as they learn useful security skills and apply them instantly to their everyday jobs. 

A New Practical AppSec Methodology 

In this new AppSec training approach, developers and devops engineers can live-test changes to the code, and check its effectiveness. This enables them to understand instantly if the code has been fixed. They’re also awarded points and trophies for completing each exercise, which provides the motivation and impetus to keep going. If they get stuck, they get hint. Although this reduces their score, it also allows them to get “unstuck”, so they can move ahead and continue learning.

Exercises can be grouped into a sequence of logically-linked units called Learning Paths. These units allow a learner to become an expert in a topic in relatively small and easy-to-manage steps. When they complete a Learning Path, they receive a certificate.

These certificates have an expiration date, but they can be renewed by taking some refresher exercises during the year. This is a great way to keep their learning up-to-date and future-focused.

The organisation can create “teams” within the application to promote healthy competition, and boost learning competence. Developers in the same team can compare their results with their colleagues’ results on a leaderboard, and take steps to improve their skills and knowledge. Time-boxed tournaments can also be created to get the enterprise-wide developer community involved, as they compete in remediating security issues.

Apart from the educational benefits for developers, this new training methodology also allows the organisation to measure the real competency of their technologists in secure coding and remediation. I say “real competency” because developers are tasked to fix security issues hands-on, not simply answer outdated or too-simple multiple choice questions. Metrics, provided at different granularity levels, allow managers to quickly identify learning gaps, and then provide targeted training to fill specific needs. Thus, instead of providing generic training for every developer – regardless of their experience or skill level – metrics allow you to understand where to focus on at the organisation-level to close gaps faster and better. Moreover, based on the previous results of each user, and the mission of your organisation, you can seamlessly adapt the training to focus on specific business goals.

Another advantage – apart from training your current developer team, you can also utilise this approach to discover new talent, or to select the best contractor or agency to outsource your development function to.

Summary

In today’s challenging environment, security should be on the radar of every developer and every organisation. In fact, it should be something that they take as seriously as software testing and scalable application design. For developers, security awareness is a way to prove that they take pride in their work. And for organisations, the consequences of not being security-aware are too disastrous – and too numerous – to ignore.

Thankfully, there are newer, better and automated ways to help both developers and organisations care more about security, and make it a part of their SDLC DNA. Doing so helps them develop confidence that their applications are as secure as they can be.

With this article, I hope I’ve inspired you to want to learn more about this automated, continuous and modern way of training developers and DevOps engineers. This methodology can be engaging, interactive, and provide learning paths in a fully-automated environment that teaches secure code practices in a hands-on way. As I’ve already explained, the benefits it can deliver at the enterprise level are immense.

For more information on practical and real-world Cyber Security training, I encourage you to check out the resources at www.secureflag.com. You’re also welcome to reach out to me at [email protected]. I’d love to understand how you and your organisation are developing your Dev’s secure coding skills, and how SecureFlag can help.