A Security Engineering Training Framework

If there is one topic on which most security practitioners agree, it is the fact that employee training must be part of your organization’s security strategy.

For IT users, the field of security training is pretty mature. Many of us go through yearly mandatory training reminding us to use passwords complex enough that you cannot remember them and to change them occasionally. Many organizations specialize in delivering such training with very similar curricula.

For a software developer audience, the field of secure software development training is much less mature with only very few reference frameworks available. Since the last RSA Conference, any development organization interested in rolling-out a software security training program can now refer to a report published by SAFECode (Software Assurance Forum for Excellence in Code). This report is entitled “Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development”.

First some background on SAFECode. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. EMC is a founding member of SAFECode, along with Juniper Networks, Microsoft Corporation, Nokia, SAP AG, and Symantec Corporation. The nice thing about SAFECode is that member companies have signed non-disclosure agreements and share their own software security assurance practices as the foundation for writing the reports published by the organization. The previous SAFECode report entitled “Fundamental Practices for Secure Software Development” is now open for public comments.

The new report on security engineering training outlines the fundamentals of a security engineering training program based on an analysis of the shared experiences of SAFECode members. This report provides a framework with three main levels of training (Foundational, Advanced and Specialized) that can be put into place to facilitate successful security engineering training initiatives across diverse corporate cultures, development environments and product requirements.

In the report as well as at EMC and RSA, most courses are role-based: Product managers, developers and QA engineers receive training directly applicable to their job function and the company’s security development lifecycle.

No doubt that this paper will become a reference for any organization looking at rolling-out security engineering training.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize