Four Steps to Help You Tackle AppSec Training—and Succeed

Teams across the SDLC are grappling with resource constraints, accumulated technical debt, skills gaps, and tight deadlines. Even though developers are on the front lines in preventing vulnerabilities, designing and implementing security training programs to stay ahead of threats can be challenging.

The bad news is software vulnerabilities have become a favorite attack vector for cyber criminals to breach an application and network. How do you begin to uplevel the DevOps team's cybersecurity awareness and improve application security? We’ve assembled a simple guide to help you get started. You can prepare, roll out, analyze, and optimize a training plan that will deliver measurable success and quantifiable value in just four steps.

1. Prepare: You Probably Already Know This 

The first step is to organize what you already know.

  • Who are your people? What roles should be part of a training program Software development has rapidly evolved in the wake of third-party components, cloud computing, agile methodologies, and the rise of DevOps. Software security stakeholders now include not just Developers but also Software Architects, Engineers, DevOps, Systems Analysts, Product Managers, and more.

  • What tech stack(s) do you use? Make sure you have a handle on the platforms that should be covered, including Android, iOS, AWS, Azure, Google Cloud, and Web, to name a few.

  • What are your goals for training and the metrics you want to achieve? Do you have basic compliance requirements to meet, or are you building a long-lasting security culture? Do you need to start with the basics, or is your team ready to prove their skills with a tournament event?

  • What are the standards you must meet? Depending on the security framework you are following, you should look for a curriculum that covers the relevant industry standards such as CWE, MITRE ATT&CK, NICE, OWASP, PCI

  • What languages should training accommodate? A thorough needs assessment should consider what programming languages your team is using, such as .NET, Java, C#, Python, Ruby, SOAP, or Swift.

2. Roll Out: Turn to a Pro

Next, don't feel like you have to go it alone. Look for an experienced provider that does the heavy lifting for you. They should have expertise in the most effective learning methodologies and years of experience—not only in training for application development but across the SDLC and cyber threat landscape.

  • Look for a match: Identify a provider with specialized solutions that match your team's needs, tools, and tech stacks. Do they cover the requirements listed above? Do they offer tailored training to reduce developer downtime?

  • Develop a training plan: This is where an experienced provider pays off. They can help you create a workable, achievable, phased plan for your organization.

  • Prioritize sequencing: Work with the provider to tackle the most pressing needs and priorities first and with the proper skill sequences that will lead to lasting improvement.

  • Make it engaging: A good provider knows that learning also requires hands-on practice and engaging challenges for results that "stick." They can blend courses, skills labs, and realistic simulations in a learning path customized to each role.

  • Get it all down: Map out the courses and activities that will happen across roles and time frames so that you can efficiently set expectations and gather training data.

3. Analyze: See What's Happening

An expert provider will be able to help you measure how well the plan on paper is working in the real world of your SDLC environment.

  • Gather feedback: Feedback includes conversations directly with your team members and their managers, as well as utilization and performance data from the courses, labs, and simulations.

  • Analyze usage and trends: Now that you have data, what's meaningful specifically to your organization? Sometimes, the absence of data tells a story, too. Did people participate in each course or lab? Did they finish? Where did they improve the most? What surprises you?

  • Benchmark against KPIs: With data in hand, where are you concerning your goals and KPIs? How do you compare with similar organizations in your industry? This will provide good insight into adjusting your approach.

  • Monitor objectives: Are you meeting your original objectives? Did your objectives shift? Are you able to achieve results faster than expected, or do you need more time to achieve your goals?

4. Optimize: Make It Even Better

You’ve rolled out the first training phase; don’t stop there. Take the data you analyzed and apply it to improving and expanding your training program.

  • Tweak learning paths: Adjust specific learning paths by adding more advanced content or a mix of activities. Some people learn better with structured coursework, while others need to get their hands in it first. A good provider offers many options to make training more engaging for everyone.

  • Revise goals and metrics: Your team’s program may exceed your goals, but often, they can be slower to achieve them, and that's okay. An experienced provider can help you adjust expectations and revise metrics to align with realistic goals.

  • Update plans: If you started with the most pressing area of the business, it’s time to move on to your other stakeholder groups. If you have a team of more advanced learners, offer them next-level courses and challenges to continue to hone their skills. Maybe it’s time to deploy an education plan across your organization to create a security-first mindset. Create your training plan 2.0 and onward!

Once you take the leap and have the first round of training behind you, application security training moves from being a demanding burden to becoming a valuable contribution and competitive advantage for your organization. For a quick summary of the steps involved in launching successful training programs check out our infographic Four Steps to Implementing AppSec Training.


About Fred Pinkett, Senior Director Product Management

Fred Pinkett is the Senior Director of Product Management for Security Innovation. Before this role, he was at Absorb, Security Innovation's learning management system partner. In his second stint with the company, he is the first product manager for Security Innovation's computer-based training. Fred has deep experience in security and cloud storage, including time at RSA, Nasuni, Core Security, and several other startups. He holds an MBA from Boston College and a BS in Computer Science from MIT. While working at both Security Innovation and Absorb, Fred clearly can't stay away from the intersection between application security and learning. Connect with him on LinkedIn.