“We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area.
20 percent of users will never change behavior, no matter how well you train
Traditional awareness efforts are based on the belief (or hope) that information leads to action. In other words, the problem with trainings is that “awareness” does not automatically result in secure behavior: About 20 percent of learners are never going to do the right thing, no matter how much you train them.
Let’s think this through for a moment: 80 percent of your audience will follow your advice to some extent, so you will get an improvement, but 20 percent will not change their behavior. Most security professionals aim to reward users who follow security process but are reluctant to punish the ones who don’t because they don’t want to be the bad guys. Even if they are prepared to go through with punitive actions, it may be counter to corporate culture (and generally not a good teaching practice).
Education is good, but it must be coupled with technical controls
This means that while security awareness does improve your security posture, you still need technical controls in place to mitigate the rest. In the case of DevSecOps, this translates into a combination of secure coding trainings and automated application security testing. The training will reduce vulnerabilities being introduced into the code, which reduces the cost of your DevSecOps program because security defects that never enter the code are understandably much cheaper than those found in production. The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.
At Veracode, we offer courses to teach the fundamentals of secure coding, both as eLearning and live sessions. With Veracode Static Analysis IDE Scan, we provide instant feedback on code security as developers are typing code in their IDE. And we provide feedback via ticketing systems and a security gate as part of Veracode Static Analysis. If developers get stuck fixing a vulnerability, they can book our application security consultants for a coaching session to help fix their security defect.
Learn more about Veracode’s Developer Training.