By Peter Ganzevles
Having delivered training for a
long time and being involved in the process for even longer, I have come across
many different people and even more questions. I’ll get questions I never
thought about being asked, coupled with questions that I expect. However, there
is one question I get more than any other, and it usually reads something like
this:
“Thank you for the training, the developers gave good
feedback on it. Now I know someone who I think would benefit from a training
too, but how can I convince them that it’s worth it?”
This blog post will answer this question
and address the topic more thoroughly than in a quick email response. In this
post, we’ll address the value of training developers, and why it is worth
doing.
Just Like… Fishing
And no, I don’t mean phishing. The famous quote from 12th
century philosopher Maimonides told us that you can “give a man a fish, and you feed him for a day. Teach a man to fish,
and you feed him for a lifetime.” This quote is key to understanding the
importance of training from a business perspective. Over the course of my
penetration testing career, I’ve tested clients’ applications, found some
horrible flaws and reported them in the best way I could to help them fix the
issue. Then, a year later, I’d carry out a retest, and while they had fixed
that instance of the issue, the very same flaw that caused it to begin with was
applied elsewhere in a new feature, which caused a similar issue.
These recurring issues are the prime example of a lack of
knowledge in a particular area, and there are two ways to deal with it. The
first is to come back for a retest just before every major release, but that
requires a lot of time and effort scheduling, is rather costly, and generally
inspires little confidence in the application. The second option is to train
the developers, testers and project leaders to be aware of the risks when writing
applications to prevent them from writing vulnerable code or missing it during
testing.
Just Like… Puppies
There are hundreds of ways to train a
developer, and while each has its merits, some are more effective than others.
When toilet training a puppy, owners often make the mistake of pushing the
puppy’s nose into where the ‘accident’ happened, to teach the dog that it has misbehaved.
While the dog will learn quickly and avoid that spot, the same might happen
five foot to the left. Similarly, shoving coding mistakes into a developer’s
face and hoping that they’ll learn will likely have the same effect. The same
code won’t be rewritten, but the underlying issue is likely to rear its head
again in the future.
Another method is to run the class through a one-day course
where we show the major flaws that often occur in applications. While this is
quick and relatively cheap, it is unstimulating for most; it will not
necessarily be adjusted to their skill levels since it needs to be challenging
for the more experienced and comprehendible for the less experienced, which
makes it somewhat unsuited for both. While trainings like this exist for
companies with a smaller group of developers and testers who all have a similar
skill level, it is not the solution I’d consider best.
Just Like… University
That brings us to the method that we’ve tried and tested for
a few years now, which is a two-day course that functions similarly to a
university. While the initial information is still presented to the group, it
is offered in a way that allows for discussion and questions throughout each
topic. Then, after the topic is over, every student gets the chance to practise
what they’ve learned hands-on, either alone or in pairs, to ensure they fully
understand what they’ve learned. The best thing about this hands-on part of the
training is that it’s not just me teaching and helping, it’s the students as
well. Ideas are exchanged, tips are given, and real stories from their own
development career are shared. I’ve even had people leave the room to fix code
on the spot!
Just Like… That
So, what are the long-term benefits of this method? I have
given training to many companies and each has given a different answer. Some
were able to grow further without hiring more testers, as fewer mistakes were
made and the existing testing team had a lighter workload as a result. Many of
them also explained that while training is an investment early on, it decreases
the amount of issues found during penetration tests, which reduces the amount
of time developers spend fixing issues, allowing them to spend that time on
feature requests instead. A handful of clients even hinted that they were getting
more customers, as they could prove that they were more secure than their
competitors. Another client said that they were now using their newly found
security knowledge in their recruiting process to find even better and more
suited additions to the team, which then helped to increase the overall
maturity. And finally, it is valuable for employees as they can put the skills
on their resume should they ever change jobs, and with the ever-increasing
demand for security knowledge, that isn’t a bad thing.