Data breaches are the worst nightmares for any business. Over 75% of companies reported that a data breach caused a material disruption to business processes. Once there’s a disruption, the impact is visible on two fronts: reputation and revenue. Let’s break this down for you:
When data breach disrupts your business processes, you are not only incurring losses due to the disruption but also spending a considerable amount in recovering from the breach. Security Intelligence reports that the global average cost of a data breach is about $3.2 million. In addition to this, your business reputation takes the beating as the news of the breach spreads, adversely affecting your revenue even further. For instance, Facebook, which saw a massive drop in share price after the Cambridge Analytica scandal came to public notice in early 2018.
So, what should you do? VP and Distinguished Analyst at Gartner Inc, Avivah Litan says, “Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused.”
The report by Security intelligence also highlights that one of the most common root causes for data breaches is system glitches. These include technology failures such as vulnerability and neglect or error by a person. Taking a step back, you can probably trace most of these vulnerabilities and errors to a bad decision made during coding or to a bad system design decision. The developers are not really to be blamed here, though. The issue is that they don’t really know what the right thing is for application security.
This is where Security training comes into the picture.
Why should you conduct Security Training for your Developers?
Developers are builders, not breakers. A developer will always look at a project with the lens “How can I build it?”. While it’s a great go-getter approach that most developers have, it’s equally important for them to analyze “How can this break?”. Security training helps them get this perspective. It helps them consider app or website security while building the system, thereby ensuring that it’s not as vulnerable as it could have been otherwise.
How to conduct Security Training for your Developers?
If you ask any developer, they wouldn’t be too pumped up about security training. Traditional security training leaves developers bored and uninterested. As a result, they’d probably not retain most of it and not apply it to their projects. To conduct effective security training for your developers, you should include 3 key components to it:
Before your developers can actually go out there and create code that’s secure, they need to be made aware of security and its impact. For this, you need to create a knowledge repository for them to learn from. While preparing a 100-page training manual is a fast way to get it done, more often than not, it’s not very efficient. You might consider classroom training but that too has limitations like availability and there’s no way to go back to the information that’s share.
The best choice here is to create an online training manual for your team that can be accessed by the developers anytime and anywhere. Online training manuals are usually more interactive, can include multimedia elements, and have options for evaluation too. For instance, on Siminars, you can include images, videos, presentations, blogs and pdfs to your courses. You can also add quizzes and questions for your employees to gauge their learning.
Ideally, for security training, you should cover these topics:
- Why Security Training
- Benefits of Security Training
- Best Practices for Secure Code
- Role-Based Security Practices
As Benjamin Franklin has rightly stated, “Tell me and I forget, teach me and I may remember, involve me and I learn.”, it is important to involve your developers in the security training. While interactive online training will help them understand key concepts, hands-on training can help them in applying those concepts.
To conduct hands-on training, you have plenty of fun and engaging options to choose from. Some of them include:
One of the most exciting ways of conducting security training, Capture-the-flag exercises pit developers against one another. Developers are divided into teams where one team tries to break the system while the other works actively trying to defend it. It’s a developer war where all developers bring their might and focus on the security of the system. You can also use Facebook’s open-source platform for capture-the-flag exercises to start these at your company.
Hackathons challenge the competitive spirit of developers and bring out the best of their abilities. Conducting Hackathons centered around security can help you engage your developers and train them at the same time. Facebook’s Hacktober is one of the best examples of this. In it, Facebook conducts interactive workshops, capture-the-flag competitions, and educational sessions with the security team.
While you can conduct hands-on events once in a while, it’s important to build a culture wherein security training is an ongoing practice. Only then will developers become familiar with the concepts and actually apply them in their code efficiently.
Esty has pioneered the culture of security training by actually deploying its developer into the security team for a certain amount of time. Junior developers start their journey in the company after spending a week in the security team. On the other hand, senior developers spend up to a month with the security team each year.
Another common culture-building practice is to introduce an internal bug bounty program. As the name suggests, this program allows developers to look for bugs and report them actively. This helps in building a knack for finding security issues. After all, if they can identify vulnerabilities in someone else’s code, they can find it on their own too.
In the End
The underlying fact is that your developers want to build a secure system. They want to avoid as many bugs as possible in their code. All you need to do is ensure they have the right training and knowledge to build the least vulnerable version of their system.
However, always keep in mind that your training should not bore the developers, lest they’d forget it and not imbibe security principles in the code. So, what are you waiting for? Take the first step and build an interactive security training for your developers on Siminars.