Alex Makumbi
21 January 2017
This article allows me to demonstrate the importance of secure training in preparation of software development life-cycles. I will be discussing the importance of security training in preparation for secure software development, providing five reasons for the importance of security training prior to executing the SDL process.
Organizations face new threats each year that aim at causing damage or compromise critical assets or degrade public trust through data dumps among others. The most effective way to keep on par with evolving threats is to prioritize business security training in preparation for secure software development. Security training ensures that as business requirements change, employees are in position to conceptualize and focus on employing secure software development practices and techniques, assuring that critical assets are adequately protected. Hence, through security training, a business requirements approach to developing software is taken as a posed to adversarial approach.
Above we mentioned that each year brings an evolution of new threats, this is largely due to the emergence of new technologies, such as Web 2.0 and Internet applications. For this reason, existing skill sets often fall behind the evolution weakening the capabilities to stay on par with security threats. Annual security training ensures that employees are trained on security technologies that work to make sure there is no unexpectedly unprotected product. Statistics from the United States Computer Emergency Response Team (CERT) show a rapid progression in total software vulnerabilities catalogued, hovering at about 7,000–8,000 per year during 2006 through 2008, up from about 1,100 in 2000.
Not only does annual security training ensure that employees are keeping pace with emergence of new threats, technology and security technologies, the education also facilitates a deeper understanding of software security allowing for further mitigation of security vulnerabilities. An employee is able to react appropriately when situations arise that are outside training. Furthermore, through training those employees that are excited by security can serve as mentors for others helping in secure code development or use of a specific code review tool.
When an organization elects to focus on providing annual security training to its employees, overtime a security first culture naturally emerges permeating from executive directors all the way down to customer service representatives. An annual security training tailored to specific positions in the company facilitates this security first culture. So as you can see, security training does not begin and stop with software development, it encompasses the whole organization.
A security trained workforce ensures that software vulnerabilities are mitigated overtime. It is well documented that the cost savings of finding and fixing vulnerabilities very early in the development cycle is significant - we cannot overlook this fact. We have to note, however, that there is no parallel correlation between software vulnerabilities and material loss, but with an emergence of new technologies the best way to ensure a reduction of vulnerabilities is by a security trained workforce.