When you think “security awareness,” the first thing that comes to mind is likely the training you provide non-security staff related to persistent threats like phishing. While this type of training will always be important, it is also becoming necessary to augment traditional programs with specialized application security awareness training for your CI/CD-related teams as organizations adopt a “shift left” approach to security.
In order to keep up with the growing pace and volume of DevOps releases, security is being integrated earlier in the CI/CD pipeline. Security tools like SCA and RASP are designed to automate application vulnerability remediation, but even the most sophisticated tools can’t completely eliminate risk. It also takes focused training for the people involved to ensure a secure CI/CD pipeline.
Who Needs Application Security Awareness Training?
While your general security awareness program is offered company-wide, your application security awareness training program should be focused on the stakeholders in the application development process, including everyone from the developers themselves to product or application owners, infrastructure engineers, and project or team leads.
In order to meet PCI DSS requirements, developers need to receive annual secure coding training, so many organizations will focus their efforts on this group, but your entire IT team could benefit from some level of application security awareness training if you intend to adopt a true DevSecOps culture.
Delivery of Training Program
Administering any kind of security awareness training can be challenging with alternative priorities constantly competing for resources and employees’ time, particularly for the development team that is focused on meeting release deadlines. In a 2021 RH-ISAC survey, which explored application security awareness training programs at member organizations, CISOs indicated that having a learning management system (LMS), either one provided through a vendor, or their own internal LMS, was essential as it simplified program delivery and allowed for customization of training courses based on employee job roles and technical requirements such as coding languages. Some of these systems also offered gamification capabilities and allowed for incentives for completing training.
Though training is required for developers, it should not be just another compliance box to tick. Take this opportunity to provide relevant training that can improve the security of your applications. Solicit feedback from your development team to learn how they rate the current training. Application development is constantly changing, and information can quickly become outdated. Training should include new sources of vulnerabilities such as cloud environments and APIs, where developers may be less familiar with security challenges.
Training that presents real-world scenarios in an interactive environment is ideal for developers who can benefit from hands-on experience, as opposed to a lecture. Developers are typically focused on getting things to work, not considering all the ways attackers could manipulate their code. Consider providing demos showing how hackers can break their code and the ramifications of these attacks, so they have a better understanding of the enemy they’re fighting against.
Topics Covered in an Application Security Awareness Training Program
Secure Coding Practices
In a 2021 RH-ISAC survey, CISOs reported safe coding practices as the number one topic included in their application security awareness training programs. Safe coding practices are standards that should be followed to avoid introducing vulnerabilities through bugs or logic flaws. General, language agnostic secure coding principles exist, which include things like denying access by default, and validating input from external data sources. However, there are also coding language-specific best practices that provide more technical detail. The Open Web Application Security Project (OWASP) provides a secure coding practices checklist which can be used to check that secure coding practices are being addressed during development.
OWASP Top 10
The OWASP Top 10 provides a list of the 10 most critical web application security risks at any given time, with the most recent list released in 2021. These vulnerabilities constitute some of the most frequently seen application security attacks, which is why the OWASP Top 10is a vital part of application security awareness training.
- Broken Access Control
- Cryptographic Failures
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
Tools and Testing
Integrating security into the development process requires developers to be familiar with security tools such as vulnerability scanners, static application security testing (SAST), and dynamic application security testing (DAST). Your IT and security teams should decide on workflows for security testing and determine what tools are needed to identify vulnerabilities early in the development process. Developers are used to testing their code for functionality but may not be used to testing with a security focus.
New Sources of Vulnerabilities
APIs are increasingly becoming a source of risk as they become more prevalent in our applications. The cloud has also changed the way we develop and access applications. Issues like authorization and identification that developers may have once understood, may need to be revisited in the new contexts in which your applications are being deployed.
Take your security awareness training beyond the training modules to include application security tips in internal communications such as newsletters. Have meetings between departments to facilitate communication on security strategy.
If you’re interested in starting or improving your application security awareness training program, make sure to check out the RH-ISAC Survey Report: Application Security Awareness & Training on Member Exchange. You can also find additional resources by joining the Security Awareness or Application Security working groups. Not an RH-ISAC member? Learn more about how being a part of the RH-ISAC’s member community can benefit you.