If there is one topic on which most security practitioners agree, it is the fact that employee training must be part of your organization’s security strategy.
For IT users, the field of security training is pretty mature. Many of us go through yearly mandatory training reminding us to use passwords complex enough that you cannot remember them and to change them occasionally. Many organizations specialize in delivering such training with very similar curricula.
For a software developer audience, the field of secure software development training is much less mature with only very few reference frameworks available. Since the last RSA Conference, any development organization interested in rolling-out a software security training program can now refer to a report published by SAFECode (Software Assurance Forum for Excellence in Code). This report is entitled “Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development”.
First some background on SAFECode. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. EMC is a founding member of SAFECode, along with Juniper Networks, Microsoft Corporation, Nokia, SAP AG, and Symantec Corporation. The nice thing about SAFECode is that member companies have signed non-disclosure agreements and share their own software security assurance practices as the foundation for writing the reports published by the organization. The previous SAFECode report entitled “Fundamental Practices for Secure Software Development” is now open for public comments.
The new report on security engineering training outlines the fundamentals of a security engineering training program based on an analysis of the shared experiences of SAFECode members. This report provides a framework with three main levels of training (Foundational, Advanced and Specialized) that can be put into place to facilitate successful security engineering training initiatives across diverse corporate cultures, development environments and product requirements.
In the report as well as at EMC and RSA, most courses are role-based: Product managers, developers and QA engineers receive training directly applicable to their job function and the company’s security development lifecycle.
No doubt that this paper will become a reference for any organization looking at rolling-out security engineering training.