Despite the evolution and use of more sophisticated cybersecurity controls and tools to ensure data security in modern corporations, cyber-attacks are becoming more commonplace and are causing massive damage worldwide. While the average cost of a data breach soars into the millions, reports indicate that 88 percent of companies have had a data breach. In addition to this, while a large number of vulnerabilities are found within the network layer of corporations - resulting in executive decisions to harden network infrastructures - nearly 70 percent of high-risk vulnerabilities are found at the top portion of the network stack - the application layer. Unfortunately, only a small percentage of developers have any role in testing applications for security, which - with the division between developers and security engineers.

The weakest link of all cybersecurity breaches, exploits, and major issues lies with end-users and developers - people. The security knowledge of the developer and how the software is developed plays a major role in how secure applications will be before end-users come into the picture. Research into corporate infrastructures has shown that developers often create security issues instead of mitigating them (while executives often don't offer security training). Thus the burden of responsibility falls upon software engineers to develop secure applications that do not contain security vulnerabilities. At the development level, training is the first step in establishing a satisfactory overall Secure Software Development Life Cycle (SSDLC), as it begins with educating the engineers who will be building the architecture and developing the applications. The training should not stop with the developers themselves - as many SDLC models seek to increase collaboration and integration with development teams, it is important for all members associated with a software project to receive thorough security training to ensure that security is a core concern at every step of the SDLC.

Thus, while developers, QA testers, executives, project managers, and operations administrators, etc. may all have different roles, when each one has been trained in cybersecurity the security of applications will go from being a distant, back-seat objective to a core objective, resulting in secure applications that save money. This can result in more informed decisions at the executive level, as the post-production security of the application and the hostile environment associated with a deployed application will be better understood, and threats can be better mitigated. Security training of all personnel will also help to make cybersecurity more prominent during discussion, planning, and board meetings. Currently more than seventy percent of developers admit that security is not discussed during SDLC planning discussions, and a minute amount discussion time was devoted to security topics within major sectors of the software industry.

As software engineering is a discipline that is always evolving, teaching security engineering concepts is a valuable next step for talented team members that have a drive to learn and a passion to produce applications that perform well and are also secure. Interestingly, approximately 80 percent of cyber-attacks carried out on major corporations can be easily avoided, since many of such attacks are carried out by so-called script kiddies who use automated tools without much knowledge of actual hacking. Generally, they simply probe different IT systems and attempt to scan for vulnerabilities to invade any system that they can access. Thus, basic security training for your employees can help to mitigate 80 percent of potential cyber-attacks on your company. Security training can be broken up into three phases, as follows:

SECURITY AWARE

Becoming security-aware is a necessary pre-requisite for adopting correct, security best practices during SDLC phases. It is thus necessary for all project team members to complete basic security training modules, which should always include network security, cryptography, and application security. In addition to this, more specific topics such as social engineering, phishing, secure coding, and basic hacking methodologies should be taught, along with different secure SDLC models. A comprehensive teaching of the OWASP Top 10 is also mandatory, and obtaining the Security+ certification is also helpful.

SECURITY SKILLED

After establishing basic security knowledge, your development personnel can take more advanced security training (e.g. secure coding, CISSP certification) and engage in hands-on exercises, such as Capture the Flag (CTF), Attack-Defense, or gamified security challenges such as Jeopardy style security trivia games.

SECURITY CHAMPION

The last level in security training encompasses learning advanced secure coding methodologies in relation to corporate platforms and frameworks. A very important step that will help to assess the security training of employee, is giving them the responsibility of conducting security scans, security audits, and code reviews for other software engineers. Some advanced-level responsibilities can also include teaching other engineers security best practices - via blogs, internal corporate wiki posts, group discussions, etc. - and organizing the security competitions or gamified cyber-challenges for the security aware and security skilled developers.