The article represents one of the education model that could be used to regularly educate your IT organization/team about latest security updates, attack patterns, mitigation techniques, security-related libraries and infrastructure, best practices and guidelines, etc .
Now that application security is becoming an important aspect to take care, while laying out plan for application design and development, it becomes much more important to put a plan in place for educating application developers & testers. The primary objective is to create a security-aware development team (organization at large).
Following is one of the model that could be used to achieve the above said objective:
- Security Awareness Training: Security awareness training to all the developers on ongoing basis. In this training, developers could be made aware of common security vulnerabilities, their impact and what could be done to avoid the related security vulnerabilities attack. As a guideline, one may want to make developers aware of OWASP Top 10 Security Vulnerabilities while putting emphasis on some of the most common ones such as following:
- SQL injection
- Cross-site Scripting (XSS)
- Cross-site Request forgery
- In-depth Security Training: In-depth Security training to select developers from different teams in the organization in order to create local point of contact to handle the security related issues. These select engineers could as well form a part of a centralized security teams. These select engineers should be provided with detailed description of OWASP top 10, code samples, hands-on with security testing tools, threat modeling, security code review techniques etc.
- Centralized Knowledge Repository: A centralized knowledge repository (regularly maintained) such as WIKI or so to hold information of some of the following and provide easy access to all the developers and testers:
- Secured design and coding practices
- Tools and frameworks that could be used for security related assessments and testing
- Security bugs/issues that were found in the software and later got fixed, along with the solutions.
- Presentations on security-related topics
- Security Newsletter: Security newsletter that could be sent regularly to all the developers to keep them informed about the security vulnerabilities, new threats, best practices and guidelines etc. This could be maintained by a content team who works with security team to gather and publish the content.
- Internal Security Meetings: Internal Security Meetings, at the regular interval, to update developers on security topics and gather their concerns.