DevSecOps Education and Training: 3 Ways to Build a Security-Aware Engineering Workforce
Implementing a security-aware workforce is essential for any organization aiming to integrate DevSecOps best practices effectively.
Published July 25, 2024.
While most developers aren't security experts, they oversee a significant attack surface for many companies: web applications.
Many security teams make huge investments into application security tools, yet still struggle to beat back attackers trying to exploit vulnerabilities in web applications. This is largely due to the challenges of implementing application security tools in a developer-friendly manner - which are known for bombarding developers with issues that may not pose real risks.
In this article, we'll examine a few strategies to build a security-aware engineering workforce, so that development teams can more consistently deliver secure code.
1. Identify Security Champions
Somewhat ironically, the application security team is often the bottleneck for hardened application security. At no fault of their own, they are often outnumbered by developers 100 to 1, which is why development teams shouldn't rely solely on their expertise.
Creating a security-aware workforce starts with identifying and empowering security champions within your engineering team. These champions act as internal advocates and experts, fostering a culture of security awareness and best practices.
Security champions are typically senior engineers or team members with a strong interest and expertise in security. They provide personalized support, serve as go-to resources for security-related questions, and lead by example in promoting secure coding practices.
To build security champions, consider:
- Sending these champions to conferences hosted by organizations like OWASP to stay on top of the latest application security risks and trends.
- Training them on malicious code examples preventing common vulnerabilities like javascript injections
- Ensure they're familiar with DevSecOps skills and techniques to build out automated DevSecOps pipeline for their team
Pros & Cons
Pros
- Open support: Engineers like speaking with other engineers. Having a resource to openly discuss security concerns with peers is critical.
- Encourages collaboration: This approach fosters a culture of teamwork and shared responsibility for security, enhancing overall team cohesion and secure software development. When security becomes a collective responsibility, it leads to more thorough code reviews and diverse perspectives on potential vulnerabilities.
- Cost-effective: Utilizes existing team members without the need for additional resources. By leveraging the diverse skills and interests of current employees, organizations can enhance their security posture without significant financial investments.
» Worried about cost? See these cost-effective ways for startups to improve app and cloud security
Cons
- Limited scalability: Security champions may become overburdened with questions and support requests. As the team grows, the demands on security champions can increase, making it challenging to provide consistent support.
- Dependence on individual expertise: When security knowledge is concentrated in a few individuals, security support and continuity can dwindle quickly if they leave the organization.
- Potential for inconsistency: Security champions may have differing levels of expertise and approaches, which can lead to inconsistent advice. Variability in skill levels and personal methodologies can result in uneven security practices across the team.
2. Purchase Continuous Training Programs or Tools
Investing in structured training tools like Secure Code Warrior is another strategy many companies take to help enable their developers, which can provide comprehensive, interactive learning experiences tailored to different skill levels.
These platforms offer continuous education, keeping engineers updated with the latest security threats and best practices.
Secure Code Warrior, for instance, offers gamified training modules that engage developers and make learning about security enjoyable and practical. Such tools provide structured learning paths, real-world scenarios, and hands-on exercises that help engineers understand and mitigate security vulnerabilities effectively.
Pros & Cons Explained
Pros
- Wide-ranging topics: developer security training courses cover all sorts of concepts, like covering specific best practices for various coding languages and frameworks.
- Continuous learning with updated modules: Keeps engineers engaged and updated with the latest security threats and best practices through regular updates and new content. Ongoing education ensures that engineers remain vigilant and proactive in addressing new vulnerabilities.
- Certification: Engineers can earn certifications that validate their security expertise, adding value to their professional development. This could enhance career growth and provide recognition for their skills in security.
Cons
- Cost: Requires a certain financial investment for licenses and subscriptions, which can be a significant expense—or even barrier—for startups or smaller organizations.
- Engagement: Engineers may not consistently engage with the platform if not incentivized, potentially reducing the effectiveness of the training and the cost-effectiveness.
- Generic content: Training may not be fully aligned with specific organizational needs or technologies used, limiting its applicability. While the training covers general security principles, it might not address unique security challenges specific to the organization's environment.
3. Use Tools Like Jit for Automated Feedback
A third option to educate developers is to provide continuous feedback on the security of their code.
Tools like Jit scan every code change for security issues and provides remediation guidance and a suggested code change to resolve the issue. While most code security testing tools list issues in a backlog within a third party UI, Jit delivers feedback entirely within the development environment so developers don't need to context switch.
- Immediate feedback: With tools like Jit, developers receive real-time insights into the security implications of their code changes, allowing for quick remediation. This instant feedback loop helps prevent security issues from progressing further into the development lifecycle.
- Continuous improvement: Regular feedback encourages developers to learn from their mistakes and adopt better security practices over time.
- Scalability: Automated tools like Jit can be applied across the entire development team without overwhelming individual resources. These tools can scale across codebases quickly, making them suitable for teams of any size, effectively ensuring consistent security practices.
Case Study: How ShopMonkey developers use Jit to resolve security issues at the code change
ShopMonkey delivers an all-in-one platform for auto repair shops to manage customer communication, finances, inventory, and other elements of running an auto shop. They integrated Jit into their CI/CD pipeline, providing developers with instant feedback on the security of their code.
Before Jit, ShopMonkey had a variety of security testing tools that developers struggled to adopt. Security issues were documented in multiple different UIs, which made it difficult to implement a unified strategy for prioritization.
- Improvements in overall security posture through developer enablement: ShopMonkey realized improvements in the overall security posture of applications come from developers being more aware of security issues and how to address them. With regular feedback on the security of their code, developers learned best practices for secure development.
- Faster development velocity: The process before Jit required developers to triage vulnerabilities that were already in production, which interrupted day-to-day routines to deliver new features. Jit helped developers secure their code from the start, which reduced triage cycles for vulnerabilities in production.
With Jit, ShopMonkey realized benefits like:
Streamlining Your DevSecOps Training
Implementing a security-aware workforce is essential for any organization aiming to integrate DevSecOps best practices effectively.
By identifying security champions, investing programs for secure development training, and automated testing tools like Jit, companies can build a robust foundation for security education. These strategies help ensure that engineers are equipped with the knowledge and resources they need to address security challenges proactively.
Moreover, security should be thought of as an ongoing process that requires continuous vigilance and improvement. Encouraging developers to integrate these practices into their daily workflow helps maintain high security standards and fosters a culture of security awareness.
Combining different approaches to security allows organizations to achieve comprehensive and effective security training, ultimately safeguarding their applications and data.
» Learn more: Developer's guide to DevSecOps tools and processes