Developer security training is more critical than ever, but data shows us that the industry isn’t taking it quite as seriously as it should. A recent ESG survey report, Modern Application Development Security, highlights the glaring gaps in effective developer security training. In the report, we learned that only 20 percent of surveyed organizations offer security training to new developers who join their company, and 35 percent say that less than half of their developers even participate in formal training to begin with.
More troublesome, less than half of organizations surveyed for the report require developers to participate in formal training more than once a year. While robust application security (AppSec) tools and solutions help developers learn as they code to get ahead of flaws before deployment, the need to continually remediate only slows teams down and bottlenecks innovation. So how can you get ahead of it? Consistent, engaging training that sticks.
Paired with the right scanning and testing tools, training solutions that go beyond checking boxes and watching tutorials are an effective way to embed the knowledge needed to write more secure code. That means less time spent fixing flaws and more time flexing creative muscles to improve your organization’s digital footprint.
Training techniques that count
Recently, Forrester Research published its Now Tech: Static Application Security Testing, Q3 2020, an overview of Static Application Security Testing (SAST) providers and the various benefits companies can realize with SAST. The report also discussed how SAST can integrate with developer solutions to improve engagement and knowledge. It also calls out the important role SAST plays in tandem with hands-on learning tools to reduce remediation time, enhance predictability, and teach developers about modern secure coding practices.
The Forrester report notes that firms that integrate SAST into their software development lifecycle (SDLC) will see an array of benefits, one of which includes developer education. With fast feedback in the IDE and pipeline, Veracode Static Analysis provides clear and actionable guidance on which flaws you should be fixing – and how you can fix them faster to improve efficiency.
SAST is undoubtedly a critical piece of the puzzle for closing knowledge gaps, but as Forrester’s report points out, it shouldn’t be viewed as a standalone tool. To drive engagement and adoption, managers leading this effort should integrate their SAST solution with engaging security training for developers to achieve a well-rounded AppSec program that developers want to participate in.
A Veracode Security Labs solution
At Veracode, we think out of the box when it comes to developer training. Veracode Security Labs closes a lot of gaps for developers looking to get a handle on modern threats and improve efficiency.
It uses real applications in contained, hands-on environments that users can practice exploiting and patching. There’s even a Community Edition, which is a forever-free version that offers some of the same Enterprise-grade tools to all developers interested in improving security knowledge on their own.
Level up without burning out on boring lessons. Veracode Security Labs brings real-world examples into the mix to build muscle memory, which means fewer flaws to fix and an easier path to compliance certifications. Engaging and customizable, there are even creative ways to gamify training with Veracode Security Labs through Capture the Flag (CTF) events and coding contests.
The “Top Secure Coder” crown
To highlight the efficacy of hands-on developer training, we recently held a “Top Secure Coder” challenge at Black Hat USA’s 2020 virtual event, where participants competed by completing Veracode Security Labs challenges. The results were exciting: over 330 people filled out participant application forms, most of which then attempted to climb the leaderboard and contended for the top prize.
While participants racked up points by completing labs over the course of the Black Hat 2020 conference, two competitors, who happened to be coworkers at the same company, (friendly contending developers within a Veracode customer) skyrocketed up the leaderboard. After several lead changes through the competition, it came down to mere seconds for a tie with 310 points, but user “th3jiv3r” completed the labs just a little faster than “turtl3fac3” which helped to serves as a tiebreaker on the leaderboard.
While this friendly challenge spurred an entertaining race for all of us, it proves that when there is a fun competition on the line, teams will push harder than they normally might have on their own. Engaging developer training works, and when it uses real-world application coding examples, that knowledge sticks.
Think you have what it takes? If you missed out on our first “Top Secure Coder” challenge, we’re bringing it back and hosting another virtual competition during DevOps World that you won’t want to miss.
Register for the conference to see us at DevOps World 2020 and join our next “Top Secure Coder” challenge to start improving your security skills.