Since Security Innovation is a provider of application security training, we often get asked for advice on how to build an application security training program. Tom started this topic recently here, and I will go into a little more depth.

While I have been with Security Innovation, I have watched a number of programs and have seen how they were rolled out, so I would like to share some observations about different types of programs, what has succeeded, and what we can learn from them.

The first thing I would say is that like many endeavors, one should start with defining the goals. In training there is usually either a compliance goal or a more general security goal - but a more general goal is often the result of or is partially motivated by regulation, compliance or risk.
If the goal is simply compliance, start with the place compliance is defined – audit. Find out what are the requirements to be considered in compliance and use that as at least a minimum standard. In most cases passing an exam is required to show auditors that training was completed and absorbed, in other cases a training report will do. In some cases training that truly covers application security will be required; in others, one class that goes over the compliance requirements at a high level is all that is required. Regardless, unless compliance is used as an opportunity to reduce risk as well as just check a compliance box, many will seek the minimum, and the auditor is the place to find it.

However, if the goal is to reduce risk or improve security, then there are a number of things to consider. Here are some of them:

  • Is the management of the trainees on board?
  • Who is going to be trained, and what is the current familiarity with application security?
  • What is the context in which the training is being rolled out?
  • Where are the people who will be trained
  • When can the training be done, and when is it needed?
  • Who will get each level of training (there are several models that can be used)?
  • How will I deliver training?
  • How will I evaluate training?
  • How will I enable the trainees to take what they’ve learned and apply it completely and correctly?

I will start with the first question. It is absolutely essential that management is on board. I have seen several examples of security trying to do the right thing by acquiring course ware and then marketing it internally assuming they can get technical people interested in what they are. While I have seen several examples, I have never seen it work. If a developer (or tester, architect, etc.) is going to go learn something, in general they will go after new technologies and in the application world that is new languages, frameworks, algorithms, systems, etc. It is not security (except for an unusual few). To get them to take security training, management has to be on board and include improved application security in their goals. To make a training program a success, it has to be done in partnership with the application development ecosystem in the company, under an umbrella of support from management.

We will take on the rest of these questions in future blog posts on this topic.