Software security training: Perspectives on best practices

Software security training, martial arts-style

David Lenoe, director of secure software engineering at Adobe and treasurer for SafeCode, worked with his team to organize their software security training to follow a progressive, martial arts-style belt system.

SafeCode members, such as Adobe, emphasize the importance of developer training and developing rigorous interal training programs that use many of the SAFECode training courses, such as "Cross Site Scripting (XSS) 101" and "Secure Memory Handling in C 101," to enable developers to raise their skill levels.

"We make it clear that security is everybody's job, not just the security team's job. There's a white belt [training] program, which is a series of introductory, security 101 courses," said Lenoe. "Then there are green, brown and black belt programs, which are progressively more task- or project-oriented. That was the starting point for our Security Champion program, which identifies key security drivers within product teams."

Software security training: Applying the fundamentals

As security issues continue to arise, more companies are looking to fundamental practices, such as threat modeling, to help them identify and mitigate many of these concerns. The foundational role of secure software development in the effort to deliver secure cloud computing, software and technology infrastructure has never been more important.

Eric Baize, SafeCode chairman and Dell EMC's vice president of product security, is one of the contributing authors of SafeCode's tactical threat modeling white paper. He has played a key role in guiding the company's product security efforts since joining the company in 2002. As the leader of Dell EMC's practices for secure product development, he oversees the company's vulnerability response and drives consistent security architectures across the product portfolio.

"One of the core components of our strategy is threat modeling," Baize said. "Threat modeling is the concept of taking a system or product and finding ways to break in and exploit potential security weaknesses that may exist in the design.

"The reason we believe it's one of the most effective mechanisms is that product engineers enjoy being challenged by new problems. Threat modeling enables them to look at their products in a new way, understand where a product may have weaknesses, and potentially prioritize additional activities, such as code review or testing."

Some of the most dramatic increases in security come from avoiding vulnerabilities in enterprise systems and applications. Studies by the National Institute of Standards and Technology, the Center for Internet Security and the SANS Institute's WhatWorks program continue to show that security programs can remove vulnerabilities before they are exposed on deployed systems or services. Software security programs end up reducing security spending, while also measurably decreasing the frequency and size of breaches and other cybersecurity incidents.

SafeCode was formed more than 10 years ago with the aim of helping its members share approaches to remove such vulnerabilities with each other and with the software community at large.

Adobe's Lenoe also points to threat modeling as a potent tool in the development of software with better security.

"One investment that we make, which has a really high return, is putting time and resources into threat modeling," Lenoe noted. "We spend time with the product teams, helping them to understand their product while learning ourselves about the product, how it functions, where some of the attack surfaces might be, where the most valuable assets are living, and how we can best secure those assets. Threat modeling and bringing the human element into the picture are some of most effective things that we do."

The path forward

Several organizations, such as the SANS Institute, offer resources for software security training and strategies. SafeCode has created a large collection of resources for software developers, including guidance papers on deploying threat modeling, the secure use of third-party components and the training modules mentioned above. Despite the continuous rise in security challenges, many development organizations have applied these reources to try to make progress in building secure products and services.

Looking ahead, companies will need to make sure their security practices are optimized to deliver secure components for the internet of things.

"Developing secure software is a process, not just one activity," said Baize. "Threat modeling is an activity that allows you to find issues and plan your future moves. Software is now everywhere: Cars, kitchen appliances or connected devices have become computers running software. Our software and our secure development practices have to follow our company strategy."

While stakeholders must acknowledge that security vulnerabilities will never be eradicated, they should also understand that they can be significantly reduced in prevalence and severity if development organizations adopt a holistic, secure development process. In addition, technology consumers should do their part, and encourage their vendors to adopt a secure development process, and software developers should learn security as part of their software engineering education.

Editor's note: The full interviews on which this blog is based are available here.