Applied ThreadFix: Getting the Most Out of Your Training Investment

As we talked about in an earlier blog post, secure coding training for developers can be expensive. Knowledgeable individuals who are adept at training are relatively rare. Quality training materials are expensive to develop and maintain. For these reasons, solid commercial instructor-led training offerings tend to have non-trivial price tag. And that isn’t even the real cost of training because you have to look at the opportunity cost for the developers and other attendees of the training classes. What could they have done with that time if they weren’t in the training class?

So – if you’re going to train your developers, you want to make sure they get the absolute most out of their training. What I’ve learned over 15 years of providing security training to developers is that the more specific you can make your training lessons, the better the retention. For a long time I was a big fan of teaching concepts and then expecting the students are able to extrapolate and apply the lessons to their specific development languages and architectures. I have to admit, I was wrong. Teaching concepts is valuable, but the more laser-specific you can make your instruction, the more immediately applicable the students tend to find it and the better it will be absorbed and adopted. So – if you’re teaching a class full of developers working on Java application using the Spring platform, you don’t want the trainer opining about the general concepts of authentication and authorization – you want them pulling up code examples and walking through the features in the Spring Security library.

Fortunately, ThreadFix gathers a tremendous amount of data about your application security program and you can use this data to deliver more effective and impactful training to your development teams. Let’s look at how.

ThreadFix allows you to attach metadata to applications in the form of tags. These tags can be used to attach designators such as the type or architecture of the application. For example – is a given application a web application, a mobile application, or a web service? ThreadFix tagging lets you track this for reporting and risk-management purposes. In addition, you can track things like the languages and frameworks in use for your various applications. Is a given application written in Java or C#/.NET? Again – tags let you track this. So – if you determine that you’re going to send the e-Commerce team through some instructor-led training, you can look through the applications that team is responsible for and determine languages, frameworks, and application architecture types you need to have covered. Here we see that we have some Java-based web applications and an Objective-C mobile application that the e-Commerce team is responsible for.

Now that we know the high-level requirements for this training, we want to make it as specific as possible for the deficiencies and particular areas of need that this team is displaying. By drilling down into the Progress by Vulnerability report we can see the types of vulnerabilities this team is having challenges with and focus on the vulnerabilities that are both the most serious and the most common. This helps us provide guidance to the instructor – “here’s where the team has the greatest need so here is where we want you to focus your time.”

For this e-Commerce team, we see that, of the Medium, High, and Critical vulnerabilities the team has introduced into the applications, the most common vulnerabilities are Cross-Site Scripting (XSS) and SQL injection. So when the instructor is planning their lessons they can choose to focus more time on how to remediate and avoid introducing vulnerabilities in these problem areas and to potentially de-emphasize other topics in order to free up time in these areas of greatest need.

Instructor-led training can be tremendously valuable for developers as you try to provide them with the knowledge they’ll need to develop and maintain secure applications. ThreadFix makes it easy to evaluate the performance and security outcomes of groups of students to help make sure you maximize the value of your training investment.

Contact us for help crafting an effective training program for your development teams.

 

Teacher photo origin:

[https://commons.wikimedia.org/w/index.php?search=teacher&title=Special%3ASearch&go=Go&ns0=1&ns6=1&ns12=1&ns14=1&ns100=1&ns106=1#/media/File:Teacher_and_student_lancing_michigan_1960.jpg]

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.