Teaching Cyber Blog

Secure Coding Training Guidance

How to develop secure coding techniques?  Secure code training is the most sensible route for developers to learn security skills.

Assess training needs first, what are the developers asking for, what does the organisation need.  Are there any clear gaps developers are struggle with. Determine the subject areas that are the most relevant to your organisation, technology as well as codebase in use.

Don’t depend on one training resource, use a combination, online courses, workshops, webinars, and books. There are many resources that are free and low cost.

Partner with a vendor.  For example OWASP top ten or even Microsoft secure coding. Tailor learning aligned to these.  Create specific training use cases that are specific to the organisation, include real-life examples, share the security incidents that occurred within your own organisation.  Align the real life activities in the organisation with the security controls in vendor material for example OWASP top ten.

Provide example code snippets, before and after code showing insecure code vs secure code then test developers with incomplete examples to build their competence in identifying vulnerable code.

Direct all developers to additional resources like popular security websites OWASP as well as internal organisation material, standards, security guidelines etc.  Take the opportunity to sell the organisations security team as a place to contact if needing help of assistance.

Training evolves, be prepared to refresh content on at least an annual basis, this includes and vendor provided training.  Stale out of date software will cause students to switch off and not learn.