Security Training Program — Fixed or Customized?

Let’s assume your market research confirmed the need for a product and you went ahead and developed one. You even have a list of prospective customers who are eager to check out the product before buying. Further, let’s assume the customers know the broad requirement for which they are trying to find a solution but don’t know whether an off-the-shelf product which doesn’t require any customization would be better or whether a product that needs to be significantly tailored to their needs would be better.

As more and more customers demand products developed in a secure manner, ISVs (Independent Software Vendors) realize that imparting regular security training to their development teams is slowly becoming a norm. Metaphorically, an application security training program can thus be considered as the product and members of various teams as prospective customers.

What do you think would be a better offering for the development teams, a fixed training program or a customized one? Hold on to your answer and read on to find out the key aspects that should be addressed to arrive at a data-driven answer:

  1. Prior knowledge: Has the intended audience been through a similar application security training program before? If so, what areas did they find to be most effective, least effective?
  2. Duration: What kind of development model does the development teams use? For example, teams on Agile (scrum) employ sprints each of which lasts between 2 to 4 weeks. Dedicating a few days towards a security training program is practically infeasible for such teams. Can the offering be compressed to accommodate this?
  3. Time-of-training v/s time of use: When will the attendees be able to use the knowledge gained? For example, a .NET development team is educated about the use of Fortify SCA (Source Code Analyzer) tool, rule customization, false positive analysis etc. Would they be installing and trying out the tool for their current release or would that be made part of the future roadmap or not sure?
  4. Content: Will applicability of each section be considered while outlining the training agenda? For example,

a. Covering CAS (Code Access Security) for a .NET training program wouldn’t give any ROI if the team in attendance has no plans to use it at all for their current/future releases.

b. Covering a section on buffer overflow issues and compiler security flags wouldn’t of any use to attendees working with managed code on a day-to-day basis.

c. Web services behave differently than web applications. Covering web application vulnerabilities in detail during the training would not be of much use to attendees whose KRA is to develop web services.

In our experience, ROI for the attendees does increase significantly if all the customization aspects listed above are factored in.

About the Guest Blogger:


Vishal Asthana, CISSP is our Regional Director for India operations.

Prior to this, he was part of the central security team at Symantec which was responsible for building a culture of proactive application security across development teams’ end-to-end development lifecycle (SDLC). This was accomplished by use of a combination of quantitative and qualitative activities. Quantitative activities included threat modeling, application penetration tests, false positive analysis and issue prioritization etc. Qualitative activities included generic/customized security training, business case preparation etc.

He is passionate about security aspects in Agile development environments and is the lead author for SAFECode’s paper Software Security Guidance for Agile practitioners released in July 2012. Before this, he presented Symantec’s work in the Agile Security area at Security Development Conference 2012 and SOURCE Barcelona 2010.

Vishal has 13+ years of technical and techno-management experience obtained in the US and India across diverse industries (Software/Hardware security product companies, reprographics, BPO). He holds a Master’s Degree in Electrical Engineering from the University of Southern California (USA) and a Bachelor’s Degree in Electronics and Telecommunication from the University of Chennai (India).

Previous Article
How do I measure the success of my training program?
How do I measure the success of my training program?

An information security training program is crucial for ensuring and maintaining a good security posture; i...

Next Article
5 Common Windows Hardening Misconfigurations
5 Common Windows Hardening Misconfigurations

Over numerous Windows configuration review engagements that we have performed for our clients, we observed ...