1 Rolling Out an Effective Application Security Training Program TRAINING & AWARENESS ORIENTATION FOR SECURE AND RESILIENT SOFTWARE DEVELOPMENT 187 Ballardvale Street, Wilmington, MA
2 2 Table of Contents Overview... 3 The Three Pillars of Secure Software Development... 3 Context is Key... 3 Principles for Software Security Education... 4 Getting People s Attention... 5 Putting the Pieces into Place... 6 Strategies for Rolling out Training... 8 You are not alone!... 9 Summary... 9 References... 10
3 3 OVERVIEW Today s development teams are encouraged to create software applications quickly and at acceptable costs. However, traditional education that prepares them for new technologies, development languages, and infrastructures does not arm them with the defensive skills they need to meet the demands of organizations that require secure applications. While it would be ideal if those involved in specifying, developing, and testing applications arrived already prepared to meet security mandates, it often falls upon employers to fill knowledge gaps in teams that are able to create quality software but not necessarily secure, resilient software. THE THREE PILLARS OF SECURE SOFTWARE DEVELOPMENT Software security can only be achieved once three elements are in place and operating effectively Standards, Education, and Assessment, as shown in the figure to the left. All three feed into one another to create an ecosystem of repeatable, secure software development. Education is the middle pillar of a secure SDLC for a very good reason Education Provides Context. Standards are needed to document security requirements on development projects, define the process for how you develop secure software, and define the technical details for secure design and implementation during development. Education provides the knowledge necessary so that your team can successfully comply with the security requirements and standards in the development process. Education may include computerbased training, instructor led training, or a hybrid combination of both. Education ensures standards are being implemented correctly. Assessments are how you measure your applications and process to provide feedback to the team. SDLC analysis, penetration testing, code review, design review and automated scanning are all examples of assessments. Not only will you get feedback you can use for immediate vulnerability remediation, you can also use root cause analysis to create a cycle of continuous improvement in your standards and educational pillars. CONTEXT IS KEY Without proper context, mandates for secure applications won t be communicated effectively to those who need to know. It s of little use to run around shouting that applications are vulnerable to Cross Site Scripting, SQL Injections, Buffer Overruns, and so forth if the people you re screaming at have little clue as to what they re hearing and lack the knowledge to do something about it. To this end, while prevention is always better than cure, programmers typically learn that their applications are insecure long after they ve released them to production - and to the malicious users with the means to exploit them.
4 4 While Secure Software Development is only one of the topics within an overall Information Security Training Program, varied levels of awareness and training are needed to get through the various stakeholders within the SDLC. An effective program uses a layering approach that builds on foundational concepts that are relevant and timely for each role in each phase. PRINCIPLES FOR SOFTWARE SECURITY EDUCATION The following are basic principles for consideration when setting up and maintaining an Education Program: Executive Management sets the mandate When aligned with management mandates for secure application development that are widely communicated, you re given the appropriate license-to-drive a program from inception forward to continuous improvement. Software security programs that start out as a grassroots initiative typically fail to catch fire across the organization. You ll need this executive support for establishing a program, acquiring an adequate budget and staff, and keeping the program going in the face of setbacks or delays. Awareness and Training must be rooted in company goals, policies, and standards for software security Establishing, then using documented organizational goals, policies, and controls for secure development as the basis for a training program creates a strong connection to developer actions that lead to compliance and Defense in Depth brought to life. Learning media must be flexible and tailored to the specific roles within your SDLC Not everyone can attend an in-person instructor-led course so alternatives should be provided such as Computer-Based Training, recorded live presentations, and so forth. Some of the alternatives at your disposal include: o Instructor Led Training (ILT): Typically hands-on and lab based; ideal for very technical or specialized and customized topics. ILT courses are often leveraged for the advanced development team members, or to generate more buy-in through a sense of team building. o Computer Based Training (CBT): One of the fastest ways to get basic and foundational skills to many people quickly and provides an ability to assess and track knowledge. o Virtual Instructor-Led (VILT): Allows for some level of customization, can be conducted remotely, and is perfect for "refresher" training on courses/topics already taught. o Persistent Reference Materials (Learning at the Time of Need): Tools here are often built-on or are readily available to a developer as they re working in their development environment. These tools offer knowledge at your fingertips with just-in-time reference material for solving specific issues with specific languages and computing environments. Learning should happen as close as possible to point where it s needed A long course that covers a laundry list of problems and solutions won t be useful when a specific issue crops up and the learner can t readily access whatever was mentioned related to the issue. Here is where Persistent Reference tools go a long way. Learning and practicing go hand-in-hand As people personally experience the how to of learning new skills, the better the questions they ask, and the quicker the knowledge becomes a regular practice.
5 5 Use examples from your own environment The best examples of security problems come from your own applications. When people see issues with code and systems they re already working on or familiar with, the consequences of exploiting vulnerabilities hit close to home and become more real and less theoretical. Furthermore, demonstrating where these examples stray from internal standards for secure software helps people make the connection between what they should be doing vs. what they ve been doing. Add Learning Milestones into your training and education program People are less motivated to learn and retain discrete topics and information if learning is treated as a check box activity. People want milestones in their training efforts that show progress and help them to gain recognition and demonstrate progress. As you prepare a learning curriculum for various team roles, build in a way to recognize people as they successfully advance through the courses and make sure everyone knows about it. Make your program company-culture relevant Find an icon or well-known symbol in your organization that resonates with employees; then incorporate it in your program or build your program around them. BOLO (Be On the Look Out) Be On The Lookout for people who participate in your awareness and training program who seem more enthusiastic or engaged than others. These people are candidates for becoming Internal Application Security Champions. People love thought leaders, especially when they re local, and you can harness their enthusiasm and interest to help advance your program. Keeping track of program maturity keeps people striving for improvements There are a number of approaches to measuring the maturity of your software security program (Application Security Maturity Model (ASM) i, Building Security In Maturity Model (BSIMM) ii, Software Assurance Maturity Model (OpenSAMM) iii, and others. It makes no difference which model you use provided you use it consistently. Some organizations have discovered ways of using these models to compare internal software development organizations and use it as a yardstick for some friendly competition and goal setting. GETTING PEOPLE S ATTENTION Let s face it, application security is often the proverbial elephant in the room a relatively new, complex and less understood discipline of Information Security. This makes it more difficult to bring it to a level of visibility it requires. Additionally, apathy is rampant as many prior attempts at software security awareness either failed or caused people s eyes to glaze over, making it even more challenging to address an issue that ultimately only people can resolve. Peter Sandman, a well-known professional who operates a Risk Communication practice, has identified a strategy for communication that s most appropriate for software security awareness as well as other issues where apathy reigns but the hazards are serious (e.g. Radon poisoning, employee safety, etc.) The strategy, called Precaution Advocacy is geared to motivating people by overcoming boredom with the topic iv. Precaution Advocacy is used on high-hazard, low-outrage situations in Sandman s Outrage Management Model. The advocacy approach arouses some healthy outrage and uses this attention into mobilizing people to take precautions or demand precautions.
6 6 Precaution Advocacy suggests using 4 ways to getting people to listen then learn: 1. Learning without involvement The average television viewer pays little attention to the commercials, but nevertheless knows dozens of advertising jingles by heart. Repetition is the key here. Posters, closed circuit TV segments, mouse pads, elevator wraps, etc. are all useful examples. 2. Make your campaign interesting and entertaining If you can arouse people s interest or entertain them, you ll get their attention and eventually you won t need so much repetition. Successful awareness efforts impart interesting or entertaining messages often and liberally. 3. Need to know A primary motivator to learning is curiosity - it s easier to deliver information to people who are actively seeking it. Sandman advises creators of awareness programs to focus less on delivering the information, and more on motivating their audience to want to receive it. The more people understand that insecure software is a software engineering, human-based problem (not a network security problem), the more they ll want to learn how best to prevent these problems. Making software security a personal issue for those who can effect improvements, then giving them the tools and skills to leverage will make them more valuable team members and lead to more secure software applications. 4. Ammunition Psychologist Leon Festinger s Theory of Cognitive Dissonance argues that a great deal of learning is motivated by the search for ammunition to reduce the discomfort that people feel when they have done something or decided something they re not confident is wise. v If others already believe that software security is a hazardous community-wide issue with no cognitive dissonance they won t need to pay so much attention to the arguments for doing it. Overcoming cognitive dissonance is a vital step early in your awareness program so that people can experience your information as supportive of their new behavior, rather than as hostile to their old behavior. The intent is not to frighten people or lead them to believe the sky is falling, but to motivate people into changing their behavior in positive ways that improve software security and contribute to the organization s goals. As your program progresses, metrics can show how improvements in one area lead to benefits in other areas: simpler and less frequent bug fixing, reduced time costs from reusable components shared within the development community, higher percentage of time spent on feature development, etc. PUTTING THE PIECES INTO PLACE Beginning with an awareness campaign that s culturally sensitive, interesting, entertaining, memorable, and engaging gives you the head start you need to effect positive changes. Awareness needs to reach everyone who touches software development in your organization from requirements analysts to post-production support personnel to Information Risk and Security teams. As you run your campaign, be sure to keep the material fresh and in-step with what s going on inside your organization. Provide employees with the information they need to engage in the follow on steps of training and education, and make those steps easy to complete.
7 7 People will naturally fall into a specific roles and each role has specific needs for specific information. For example: Architects and Leads o Secure code starts with secure requirements and design an insecure design can compromise even well written code o Security is required through all phases of the process o Consider threat modeling and code review processes Developers o Match training to level of awareness, technologies, and platforms used o Writing secure code doesn t take any longer than writing insecure code you just need to know which one to write o Most vulnerabilities are the result of the same coding error being made repeatedly. Learn to do it right the first time and you can save yourself and your testers a lot of work Testers o Reinforce that they are the last line of defense to verify the security of the end product o Testers can vary in capability from developer level to data input try to get them motivated to learn more about coding so they can provide more helpful vulnerability feedback to developers Information Security Personnel o They know security, they don t necessarily know about application development o Focus on language normalization many confuse standards and best practices with actual implementation know-how Management o Project and program management, Line management and Upper management o Need to understand the risks so they release the budgets to address them o The best way to demonstrate risk is to show actual vulnerabilities in your applications and the potential business impact should it be exploited Training programs should be tailored for each role and built around existing skill levels and platforms/technologies being used. Bundles of courses can be assembled to address baseline and advanced education. For example:
8 8 CSO Perspective Prof. Dr. Sachar Paulus Security is a people business because technology is ultimately built, configured, used and operated by humans who can either be the strongest or weakest link. The plethora of technology platforms and user roles that create and depend on those platforms mandates education that is tailored to each environment. This is particularly germane in secure software development, an area that relies heavily on human participation and where automated tools are limited in their ability to create secure software - especially during the earlier development phases where vulnerabilities are the most costly to fix. While serving as CSO of SAP, our AppSec training program was successful because it was tied into SAP s overall security goals and had the support of executive management. Each member of our software development teams had to possess and maintain the skills needed to implement their security activities properly: Architects needed to be able to create a secure architecture that served as a blueprint for the developers Developers needed to understand how to apply security best practices to avoid vulnerabilities in the first place - and how to fix those that slip through Testers needed to understand vulnerability classes and attack techniques as part of their normal testing program so they could provide input and feedback on security problems as they are found Ensuring that your teams have the specialized skills to do their job correctly is a required step toward maturity as an organization. This is why, with some esteemed colleagues, I founded the non-profit ISSECO (International Secure Software Engineering Council, which seeks to standardize the education and skills certification for secure software development. STRATEGIES FOR ROLLING OUT TRAINING Following are a few suggested approaches for rolling out your training program: All stakeholders get trained on application security awareness o Broadly deploy training level by level Core training plus security specialists o Specialists by functional groups or projects Base training plus candidates for Software Security Champions or Evangelists o Less training for all, but a few go-to people embedded in groups or projects o Multi-level support for developers with base training Start slow o Roll out to test group or organization o Mix and match models and test Consider risk ranking your applications and rolling out more in-depth training for high-risk applications Selecting one of these or a hybrid of strategies will depend on several factors that are specific to your organization: geographical diversity of your teams, separation or concentration of groups who are responsible for mission critical applications, existing infrastructures for educating employees, number of people available to conduct training, etc.
9 9 YOU ARE NOT ALONE! While it would be daunting to build and operate a secure development program from scratch, the good news is that you don t have to and there s a wealth of resources at your disposal. Every organization is unique and needs its own customized approach to assure effectiveness and success. Companies like Security Innovation can work with you to adapt our learning materials and expertise to your environment in the way you need them to work. Checklist for Establishing a Software Security Awareness and Education Program Requirement for Program Success Executive Management establishes the mandate for software security and budgets the time, expense, and delegation of authority to improve software security Goals, policies, standards, and controls are in place for software security throughout the SDLC Learning media is geared to your audience based on their availability, geographic dispersion, access to materials (intranet-based vs. Internet-based), language considerations, sensitivity of time zones where personnel are located Reference tools are readily available to developers and are usable for just-in-time access for solving specific software security issues Examples of high quality and secure source code are available to show developers what needs to be accomplished and why Code examples come from familiar internal sources Courses are stratified by well-defined roles in the SDLC and cover topics specific to the development languages and computing platforms your are using Progress of courses and completion of course bundles include reward and recognition steps that further motivate learners A metrics program has been established to show trends over time and help to identify components that are working as planned vs. those that need intervention or changes Program maturity is measurable and is used consistently SUMMARY Secure Software Development can be a difficult problem to get your hands around and solve. Awareness and Education are vital for success and require a many-hats approach that includes psychology, creativity, engaging materials, formal structures for learners to navigate, and a solid rooting in how people learn and apply new skills in their jobs. With sufficient time, budget and executive support in place, you re on the way to building the best program possible. Once in place, you ll marvel at how the success feeds upon itself and starts showing up with measured improvements you re proud to see!
10 10 HOW SECURITY INNOVATION CAN HELP Security Innovation s solutions are built upon 15 years of application security experience and research. Organizations rely on our training, standards and assessment solutions to ensure their software applications are secure and in compliance. TeamProfessor elearning, the industry s largest library of application security courses (65+), covering each phase of software development, all application types (cloud, web, embedded, mobile, database), popular technologies (Java, C/C++,.NET, PHP, C# and JRE) and industry standards/guidelines (OWASP, PCI-DSS, Microsoft SDL, etc) TeamMentor Security Process Framework, featuring an extensive collection of SDLC best practices that align development activities with corporate security policies and compliance requirements. It is a persistent knowledge asset that includes dedicated, prescriptive guidance views for PCI-DSS, OWASP, mobile, and security engineering, and is an excellent complement to any training initiative. SDLC Compliance gap analysis and optimization to help map application security practices to compliance and governance requirements. This service includes a complete analysis of people, processes and technology and delivers an actionable roadmap that includes recommendations for filling the gaps with the proper use of the right tools, training, and customized policies Managed Application Security Testing (MAST), for organizations that have hundreds or thousands of applications to secure. MAST provides a multi-tiered testing solution that calibrates the depth of testing and vulnerability analysis to the level of application criticality. Application assessment services to perform threat modeling, code reviews and application penetration testing on a single application or across an entire portfolio of software applications. High-performance encryption software to ensure secure, efficient communications. LEARN MORE Please visit Security at EVALUATE OUR TRAINING PRODUCTS Please contact us at x1 or or fill out online form REFERENCES i ii iii iv Sandman, Peter. Motivating Attention: Why People Learn about Risk or Anything Else. Retrieved from Nov 23, v McLeod, S. A. (2008). Cognitive Dissonance Theory - Simply Psychology. Retrieved from Nov 24, 20