training developers at appsecusa

speaker: John Dickson

Bruce Schneider wrote in March “I personallly believe that training uers in security is generally a waste of time and that the money canbe pnt better elsewhere”

Developer Training vs User Behavior training

  • both are trying to change behaviors
  • Developers have more power to say no/drive training by releaes
  • For developers, training is infrequent, but more disruptive. User awareness training is 15-45 minutes. Developer class is 1-2 days.
  • PCI DSS requires training


  • Metrics rare even for HR training.
  • Turnover 20-30% in software development
  • Training budgets one of first things to cut in bad economy

A research study

  • included 600 developers. 100 had over 3 days of security training, but results didn’t turn out to reflect that. gave 15 multiple choice question quiz
  • “Didn’t want to ask how old they are because shouldn’t matter” [why not?]
  • Over half of developers had over 7 years of experience [we are in one of few inustries where this is considered odd or even worth mentioning]
  • Had hypothesis that finanical services sector would have an advantage, but didn’t score better. Sample size in that sector, too low.
  • Tested both awareness an defnesive coding
  • Largest enterprises had lowest secure coding knowledge. They weren’t the largest banks though. Suspects that would have raised numbers.
  • Architects did best, QA did worst. Developers were in the middle.
  • Most people understand what a XSS error is, but less than 20% know what to do about it. How do you operationalize the application security concepts.
  • Had to throw out 100 results (out of 600) because didn’t complete the uestions. This is common in studies. However, they didn’t fill in the harder questions. Results even worse if you count them as wrong.
  • Higher ed teaching at most one elective on security and likely just covers encryption. [Is it their job to do so? They also rarely cover testing or maiintenance or many other skills that are needed in the real world]
  • Study just did before and right after. Need to do again later to reinforce

How developers learn

  • Companies buy a class or e-learning modules
  • After graduate, people learn informally. Blogs, rss, social media,developer websites, email list, safari online [books aren’t dead]
  • Need refreshers preferably in bite size chunks. Include training in performance planning so developer feels accountable to understand
  • Try to do real world situations as refreshers. Talk about a breech
  • Incentives matter. Saw them making it more likely for people to fill out the survey. Even for a captive audience.

Survey will become a whitepaper.

“Need to sales/market the dev teams”

My take
Good session. The research study was interesting. I wish here was more time to go into that. There’s good talking points in it. I certainly agree on the need to customize training.

Leave a Reply

Your email address will not be published.