Wednesday 15 May 2019

Security Training for Developers: Cost Saver & Business Enabler

By Peter Ganzevles

Having delivered training for a long time and being involved in the process for even longer, I have come across many different people and even more questions. I’ll get questions I never thought about being asked, coupled with questions that I expect. However, there is one question I get more than any other, and it usually reads something like this:

“Thank you for the training, the developers gave good feedback on it. Now I know someone who I think would benefit from a training too, but how can I convince them that it’s worth it?”

This blog post will answer this question and address the topic more thoroughly than in a quick email response. In this post, we’ll address the value of training developers, and why it is worth doing.

Just Like… Fishing
And no, I don’t mean phishing. The famous quote from 12th century philosopher Maimonides told us that you can “give a man a fish, and you feed him for a day. Teach a man to fish, and you feed him for a lifetime.” This quote is key to understanding the importance of training from a business perspective. Over the course of my penetration testing career, I’ve tested clients’ applications, found some horrible flaws and reported them in the best way I could to help them fix the issue. Then, a year later, I’d carry out a retest, and while they had fixed that instance of the issue, the very same flaw that caused it to begin with was applied elsewhere in a new feature, which caused a similar issue.

These recurring issues are the prime example of a lack of knowledge in a particular area, and there are two ways to deal with it. The first is to come back for a retest just before every major release, but that requires a lot of time and effort scheduling, is rather costly, and generally inspires little confidence in the application. The second option is to train the developers, testers and project leaders to be aware of the risks when writing applications to prevent them from writing vulnerable code or missing it during testing.

Just Like… Puppies
There are hundreds of ways to train a developer, and while each has its merits, some are more effective than others. When toilet training a puppy, owners often make the mistake of pushing the puppy’s nose into where the ‘accident’ happened, to teach the dog that it has misbehaved. While the dog will learn quickly and avoid that spot, the same might happen five foot to the left. Similarly, shoving coding mistakes into a developer’s face and hoping that they’ll learn will likely have the same effect. The same code won’t be rewritten, but the underlying issue is likely to rear its head again in the future.

Another method is to run the class through a one-day course where we show the major flaws that often occur in applications. While this is quick and relatively cheap, it is unstimulating for most; it will not necessarily be adjusted to their skill levels since it needs to be challenging for the more experienced and comprehendible for the less experienced, which makes it somewhat unsuited for both. While trainings like this exist for companies with a smaller group of developers and testers who all have a similar skill level, it is not the solution I’d consider best.

Just Like… University
That brings us to the method that we’ve tried and tested for a few years now, which is a two-day course that functions similarly to a university. While the initial information is still presented to the group, it is offered in a way that allows for discussion and questions throughout each topic. Then, after the topic is over, every student gets the chance to practise what they’ve learned hands-on, either alone or in pairs, to ensure they fully understand what they’ve learned. The best thing about this hands-on part of the training is that it’s not just me teaching and helping, it’s the students as well. Ideas are exchanged, tips are given, and real stories from their own development career are shared. I’ve even had people leave the room to fix code on the spot!

Just Like… That
So, what are the long-term benefits of this method? I have given training to many companies and each has given a different answer. Some were able to grow further without hiring more testers, as fewer mistakes were made and the existing testing team had a lighter workload as a result. Many of them also explained that while training is an investment early on, it decreases the amount of issues found during penetration tests, which reduces the amount of time developers spend fixing issues, allowing them to spend that time on feature requests instead. A handful of clients even hinted that they were getting more customers, as they could prove that they were more secure than their competitors. Another client said that they were now using their newly found security knowledge in their recruiting process to find even better and more suited additions to the team, which then helped to increase the overall maturity. And finally, it is valuable for employees as they can put the skills on their resume should they ever change jobs, and with the ever-increasing demand for security knowledge, that isn’t a bad thing.