5 Reasons Your AppSec Training Program is Broken
- Gyan Chawdhary, Head of Application Security, ThriveDX's Enterprise Division
Secure Application Development Training is crucial to maintaining a cyber secure environment in 2022. 84% of all cyber attacks happen on the application layer. API attacks are up a stunning 686%.
As applications continue proliferating, attacks against them are increasing dramatically.
In other words, AppSec training has moved from “nice to have” to “must have.” When done poorly it hemorrhages money, breaks networks and suffers from low engagement rates.
If you’ve made the good business decision to incorporate AppSec training into your enterprise curriculum, here are five approaches to avoid.
Top 5 Reasons Secure Application Development Training Fails
1. Not Enough Oversight to Push the Training Through
IT teams in charge of ensuring secure code appsec training completion have enough on their plates.
Do they like having to check in repeatedly with devs to finish their secure code training when there’s already resistance?
Of course not. Double HR’s oversight by using ThriveDX’s application security training, already integrated into an enterprise’s ERP system.
Workday, Oracle, SAP and other HR Platforms have their own proprietary Learning Management Systems tracking if an employee has finished their mandatory training. Those systems also have dedicated administrators ensuring training is completed.
Wouldn’t you rather have those dual-resources help with ensuring developers go through training vs. the adhoc check-ins from your IT department?
Now your security teams can focus on security instead of babysitting.
In other words, the AppSec training from other vendors are standalone systems, and developers generally hate logging into yet another LMS system.
Having multiple systems to learn new concepts is very frustrating and creates even more resistance.
This explains the traditionally low engagement rates of enterprise AppSec training.
Kontra (now ThriveDX Application Security Training), integrates seamlessly into the HR systems developers already use, where they’ve already had the HR teams’ change management techniques to learn how to use it, making completing the AppSec training much more efficient and easy.
If simplifying doesn’t win you over, offloading the oversight onto HR will.
2. Secure Application Development Training is Too Time Consuming
Once upon a time secure app dev training was video based…until one day someone figured out that developers engage more with interactive content where they are presented with problems they can solve.
Companies almost immediately over-rotated, developing overengineered programs only a hacker could love. While this satisfied 5 or 10% of developers, it left the other 90% wanting a better solution.
For instance, if a couch potato wants to get in shape, he probably won’t join a powerlifting gym populated with grunting bodybuilders – because there’s no added benefit. Nobody needs to bench 100 kg out of the gate.
The more achievable route will be taking light walks around the block or joining the aquatics center. The same applies to AppSec training.
Instead of taking 40 or 50-minute labs, AppSec training modules should run 5 minutes max because that’s the type of training that best resonates with devs. You can help them want to do the training by teaching it the way they want to learn.
3. Gamified Training: Quizzing
When application security testing pioneered, it borrowed heavily from other learning formats. Unfortunately, this included gamification and quizzes.
This is not because games and quizzes are necessarily bad teaching tools, but because developer security training isn’t something you can assess in a meaningful and measurable way.
This is due to the very nature of application security. You can’t work software bugs into a multiple-choice quiz.
To counter this reality, training companies started showing developers pieces of code, asking them to find the exploit. This method was an overcorrection the other way, putting devs to sleep and dramatically lowering engagement.
Developers can sometimes be some of the smartest people in the room so don’t underestimate them. Tailor your curriculum accordingly.
Devs won’t be wowed by the same bells and whistles incentivizing a lot of enterprise security awareness training. They will want to interact with the problem – just not all day. Keep the appsec training labs short, solvable and relevant.
4. Lack of Storytelling
A lot of companies emphasize the attack and how to fix it. Counterintuitively, devs don’t care about the actual bug itself. They want to know the backstory behind the exploit.
Developers might say “don’t tell me what Security Logging and Monitoring Failures are – I already know. Tell me what they look like and how they originate. I want to know the tradecraft and thought processes behind what the threat actor used.”
Most of us think about stopping attackers by locking our doors and windows. Developers think: “Screw the doors and windows – by then it’s too late. I want to know how to stop the attacker at the perimeter.”
It’s a different mindset, and one that I study relentlessly. I’ve led security teams in Scotland before I created my first company (Codebashing, acquired by CheckMarx) and now Kontra, a ThriveDX company, so I understand what works and what doesn’t with effective developer application security training.
I took years meticulously researching why training doesn’t work, some of which included why the developers on my teams didn’t complete their training, to make Kontra’s learning successful for companies. Kontra’s software focuses on the tradecraft as well as the attack – and most importantly how to fix it.
But Kontra also answers how did this exploit even come about? Why did the hacker decide this was the right place to drop this payload?
In other words, Kontra solves application vulnerabilities while teaching actual techniques while offering a peek inside the mind of a hacker. This helps devs anticipate the next poorly written piece of code, staying one step ahead of the next threat actor.
5. Lack of Credibility, Believability
Developers are a pretty savvy lot. They don’t want to see a trench coat-wearing cartoon man “stealing money from a bank” with zero context. If you show them a scenario they will never actually encounter, they’ll tune you out.
In other words, make your appsec training believable and inspired by real-life attacks. Use actual web pages they are likely to run across in your examples. SQL injection attacks don’t happen on login pages, but they might happen in checkout pages.
Devs don’t want to see trivial examples, they want to see attacks happening more at the real estate level.
For example, developers might say, “show me an attack happening in Uber. Show me an attack on Tinder where someone was able to steal somebody’s geolocation.”
A lot of applications secretly collect user geolocations, but many of those same apps don’t adequately protect this kind of data, allowing attackers to steal your present geo coordinates.
In Conclusion
These are the kinds of cyberattacks encountered in 2022. Incorporate them into your secure application development training curriculum, so your audience knows that you know what you’re talking about.
Once you have their attention, you can begin teaching them to identify potentially malicious code, where it happens and why, so they can thwart attacks before they become expensive problems.
For more information on ThriveDX Application Security Training, please visit us here.
Gyan Chawdhary is the Founder and CEO of Kontra Application Security (acquired by ThriveDX’s Enterprise Division). Previously, Gyan founded and invented Codebashing, the industry’s first interactive application security training solution, which was acquired by Checkmarx in 2018.
Protect Your Organization from Phishing
Explore More Resources
- Article, News
- Article, Blog
- Article, Blog
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.