Organizations embark on Application Security Training for two primary, intertwined reasons – to meet compliance requirements and reduce application security risk. Another motivation is that the AppSec capabilities and skills needed to meet these goals are not easy to find in the job market, so they must be built internally with existing employees. Providing existing employees with new skills and engaging training can also help retain them. But if you're reading this, you already know that and understand that you need, or at least want, an Application Security Training program. Your concern now is, "How do I build an effective program to meet my goals and make the investment in money and time worthwhile?"
I know that's not one of the items in the title, but I will slip it in here because it's critically important. Don't worry; you won't get fooled again (this section is The Who – some of you may need to use google). I hear a lot of people calling AppSec training 'secure code training,' but it is way more than that. All the people in the application development cycle (Agile, DevOps, whatever) have roles to play and need education relevant to their particular jobs, not just coders. Even coders need to know more about AppSec than just code. You need to think about the training for product management, design, architecture, testing, deployment, and operations as well as management, red team, etc., depending on your particular organization and its processes. Studies have shown that making training relevant and meaningful to the learners' role is one of the most critical factors toward effective training.
One of my colleagues likes to use the analogy of chemistry and physics classes. The teacher gets you hooked with cool demonstrations, and then you want to learn what's behind that. But, there's still no getting around the fact that for training to be effective, there's technical, factual material that must be retained. This doesn't have to be the boring part after the cool explosions. Well-designed online learning can be engaging from the start. Look out for simple videos – even if done well, there are no interactions to draw the learner into the learning aspect. In a ten-minute online learning module, there can be a couple of minutes of material, followed by an exercise that is fun and reinforces what was learned, a repeat of the cycle followed by a quiz to confirm learning and provide a sense of accomplishment. Learning always needs to include, well, learning. If it's just labs or ranges, for example, those end up being puzzles that are solved without changing learner behavior when employees go back to their work.
Labs for AppSec training are trendy these days, and it's clear why. It's like the cool part of chemistry mentioned above. It's where you're looking at code or solving attack challenges, and it feels like a game. Some programs consist almost entirely of labs to make it look fun and engaging. And they can be, but it's not enough to truly make the learner apply learning to their work (this is called 'transfer' in learning parlance, and I will be discussing it in a future webinar and blog). If you complete the lab, it becomes a game or puzzle to solve or win, but once it's finished, the fun is over, and it's done. The base knowledge needs to go with it to change behavior while meeting your goals of reducing AppSec risk and achieving compliance. If the lab is set up with that knowledge, then the game can be more realistic and the learning complementary and complete.
Even if the skills are learned and understood by combining Who, What, and How they might not be without motivation. Learners need to understand why it's critically essential they consider security as they perform their roles. A great way to accomplish that is to give them a hacker's eye view of their applications. Using a Cyber Range learners can take what they learned and apply it to breaking a realistic application to break into the app, increase their privileges, learn what's underneath the covers of the app, perform fraudulent transactions, steal data, etc. We've seen time after time that running these events, or providing the ranges for extended play, helps cement skills and motivate all the roles in the application lifecycle to apply them to make sure the things they did to the range could not happen to their app!
An Application Security Training program is the only way to help those involved in creating, building, and deploying applications understand how to reduce risk and secure their applications. Unfortunately, that knowledge usually does not come with their core technical training. This is why compliance regimes require it and why organizations deploy these programs to reduce application security risk. If you invest the time and money to roll out such a program, you want it to be effective. Consider the Who, What, How, and Why in your program, and you will have taken a major step towards that goal. If you want to hear more about this topic, consider watching my earlier webinar that goes into greater detail.
About Fred Pinkett, Senior Director Product Management
Fred Pinkett is the Senior Director of Product Management for Security Innovation. Prior to this role, he was at Absorb, Security Innovation's learning management system partner. In his second stint with the company, he is the first product manager for Security Innovation's computer-based training. Fred has deep experience in security and cloud storage, including time at RSA, Nasuni, Core Security, and several other startups. He holds an MBA from Boston College and a BS in Computer Science from MIT. Working at both Security Innovation and Absorb, Fred clearly can't stay away from the intersection between application security and learning. Connect with him on LinkedIn.