SECURE SOFTWARE DEVELOPMENT LIFE CYCLE
TRAINING PHASE (SSDLC)
THE FIRST PHASE OF THE SECURE SDLC IS THE TRAINING PHASE
The weakest link of all cybersecurity breaches, exploits, and major issues lies with end-users and developers - people. The security knowledge of the developer and how the software is developed plays a major role in how secure applications will be before end-users come into the picture. Research into corporate infrastructures has shown that developers often create security issues instead of mitigating them (while executives often don't offer security training). Thus the burden of responsibility falls upon software engineers to develop secure applications that do not contain security vulnerabilities. At the development level, training is the first step in establishing a satisfactory overall Secure Software Development Life Cycle (SSDLC), as it begins with educating the engineers who will be building the architecture and developing the applications. The training should not stop with the developers themselves - as many SDLC models seek to increase collaboration and integration with development teams, it is important for all members associated with a software project to receive thorough security training to ensure that security is a core concern at every step of the SDLC.
Thus, while developers, QA testers, executives, project managers, and operations administrators, etc. may all have different roles, when each one has been trained in cybersecurity the security of applications will go from being a distant, back-seat objective to a core objective, resulting in secure applications that save money. This can result in more informed decisions at the executive level, as the post-production security of the application and the hostile environment associated with a deployed application will be better understood, and threats can be better mitigated. Security training of all personnel will also help to make cybersecurity more prominent during discussion, planning, and board meetings. Currently more than seventy percent of developers admit that security is not discussed during SDLC planning discussions, and a minute amount discussion time was devoted to security topics within major sectors of the software industry.
Cybersecurity training will help to disseminate security concepts that can
ensure that all employees working on projects are included during
security discussions, and helps to reinforce cyber security knowledge
& terminology that pertains to such discussions.
CORE SECURITY TRAINING FOR
BUILDING SOFTWARE THAT IS SECURE
BUILDING SOFTWARE THAT IS SECURE
Becoming security-aware is a necessary pre-requisite for adopting correct, security best practices during SDLC phases. It is thus necessary for all project team members to complete basic security training modules, which should always include network security, cryptography, and application security. In addition to this, more specific topics such as social engineering, phishing, secure coding, and basic hacking methodologies should be taught, along with different secure SDLC models. A comprehensive teaching of the OWASP Top 10 is also mandatory, and obtaining the Security+ certification is also helpful.
After establishing basic security knowledge, your development personnel can take more advanced security training (e.g. secure coding, CISSP certification) and engage in hands-on exercises, such as Capture the Flag (CTF), Attack-Defense, or gamified security challenges such as Jeopardy style security trivia games.
The last level in security training encompasses learning advanced secure coding methodologies in relation to corporate platforms and frameworks. A very important step that will help to assess the security training of employee, is giving them the responsibility of conducting security scans, security audits, and code reviews for other software engineers. Some advanced-level responsibilities can also include teaching other engineers security best practices - via blogs, internal corporate wiki posts, group discussions, etc. - and organizing the security competitions or gamified cyber-challenges for the security aware and security skilled developers.
TRAINING IN SECURE SOFTWARE DEVELOPMENT
ALSO BREAKS DOWN TO SPECIALIZATIONS
UNDERSTANDING THE OWASP TOP 10
• Injection (e.g. SQLi) • Cross-Site request forgery (CSRF) • Cross-Site Scripting (XSS) • Lack of efficient Transport Layer protection
Becoming an advanced-level ``security champion`` requires gaining an intimate knowledge of not only basic secure software development methodologies, but also of more advanced concepts and tools associated with developmental specializations. Having in-depth knowledge of the different application frameworks - and how to develop efficiently and securely with them - is an integral step, as each framework offers different features, functions, and security protections that must be fully researched and their use well documented in order to be efficiently used by your engineering teams. To make the best use of such frameworks, secure default parameters should be built into project templates for distribution to the rest of the engineering teams to maximize cybersecurity efficiency. In addition to this, centralized libraries - for validation, encoding, authentication, authorization, etc. - should be created and distributed to engineering teams for use. This will increase the productivity and efficiency of software engineering teams regarding the secure coding of applications.