Finally, Application Security Training for Devs, by Devs

Share

Developers are busy. Ain’t nobody got time for “security training” which will likely involve a cartoon man wearing sunglasses and a hat, skulking around doing nefarious-looking things with computers.

Devs have code to write and jobs to keep. Unless it makes them better at their actual career, why bother? If they absolutely must take mandatory training, odds are high they’ll launch the program and leave it running in the background while they go about their day job. Apparently one or two devs might be doing this because 83% of apps contain a security flaw.

Application Security Training for Developers

Kontra, by Thrive DX takes a different approach. Gyan Chawdhary was one of those jaded devs who couldn’t be bothered. But being a developer himself, he understood there was a way to reach the dev community and impart actual value. From the ground up, he instilled five core principles within Kontra to make security application training relevant and useful to developers.

1. Make it Better, Make it Believable

Some version of “this is cheesy,” “we already know this” and “not a thing that would happen in real life” have been overheard somewhere during security awareness training. While most employees understand they are the weak link cyber-wise, not every employee knows what to do with this information. They have heard lots of fear mongering, but far fewer solutions. Tell them what they don’t already know. Communicate something of value. Instead of sowing fear, uncertainty and doubt, practice empathy and understanding for the position they are in and show vision for what they are likely to encounter. 

In other words, make your security awareness training believable and inspired by real-life attacks. Use actual web pages they are likely to run across in your examples. SQL injection attacks don’t happen on login pages, but they might happen in checkout pages. They are even more likely to happen in random, semi-arcane places. Use these as your examples, so that your audience knows that you know what you’re talking about. Teach them to identify, disable and quarantine attacks before they become expensive problems.

For example, ThriveDX recently acquired Kontra which provides application security training aimed squarely at developers. Whereas normally developers find bugs and report them, Kontra instead teaches them how to identify and fix security vulnerabilities and other bugs in real time, saving four or more weeks on the next rev.

2. Practice Radical Candor

Acknowledge up front that security training is nobody’s first choice in time management. We get it. At the same time, people generally agree that having jobs is a good thing. If a company falls victim to ransomware, one person’s carelessness could end up costing dozens of people their careers, if not the business itself. So of course, security awareness training is going to be mandatory. Let’s make the most of it, shall we? 

3. One Size Does Not Fit All

Not all employees are equal. Some are more likely to be attacked than others. Specifically, people with privileged access to sensitive data are much likelier to be targeted. Your training should account for these human heightened risks by separating them off from the group and walking them through more intensive training, preparing them for likely scenarios they might encounter. 

4. Tighten It Up

Why spend 20 minutes making a point you can convey in five? Developers are usually the smartest people in the room so don’t underestimate them. Approach training like it’s not their first day with a computer and an internet connection. By now most folks have a general understanding of what threats await them after making bonehead decisions online. What they do not have a lot of is time.

Gyan Chawdhary is founder and CEO of Kontra, which he calls Application Security Training by developers, for developers. “Nobody has time for security training…least of all, developers,” said Chawdhary. “That’s why one of our key differentiators is that every part of our training runs five minutes, max.” 

5. Tell a Story

In addition to showing an attack and how to fix it, include a narrative. Tell an interactive story of real-life attacks. Many devs are curious as to how attackers found this bug in the first place. What tools did they use? What code were they looking for? How did this security vulnerability come to be discovered? Kontra shows them this back story and walks them through the steps from the perspective of a cybercriminal. It shows them a hacker’s tricks. Square that circle, and good code follows. 

6. Scale your content by integrating with other LMS software

All too often both security awareness training and application security training are standalone courses sitting outside of a company’s Learning Management Software (LMS). This effectively means you can assign training without enforcing any compliance. If developers are writing code while AppSec Training runs in the background, how would you know, and what could you even do about it? 

The other problem is many times security training will force companies to adopt their LMS systems, in order to give the companies visibility into employee compliance. This presents several problems. First of all, why would a developer want to login to yet another system in addition to their own LMS to complete training? This also gets at the fact that many enterprise LMS systems are much more sophisticated and complex than anything offered by cybersecurity training. While an organization might gain some enforcement and compliance capabilities, they’ll more than lose in overall functionality. 

 

In summary:

Application security is important. Developers’ time is valuable. Why not combine these two realities into one useful training? Unlike other AppSec programs, Kontra is jam-packed with challenging but yet teachable real-life scenarios that will integrate security best practices into your code from the bottom-up.  It’s a win-win for all parties.

For more information on ThriveDX’s enterprise security training programs, please visit us at https://thrivedx.com/for-enterprise.

Digital Skills Training and EdTech Solutions | ThriveDX

Gyan Chawdhary is the Founder and CEO of Kontra Application Security (acquired by ThriveDX’s SaaS division). Previously, Gyan founded and invented Codebashing, the industry’s first interactive application security training solution, which was acquired by Checkmarx in 2018.

Protect Your Organization from Phishing

Share

Explore More Resources

Pharming vs. Smishing vs. Vishing: Can you identify these common phishing techniques?
In cybersecurity awareness training, authenticity is key. Let's take a look at navigating trademark law in cybersecurity.
SOX Act requirements reshaped corporate governance and financial reporting. Learn how it affects you in 2022.

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Contact ThriveDX Partnerships


Connect with us at the ASU + GSV Summit

If you are looking to connect with someone from our team on-site, please leave your contact information here and we will connect with you directly during the conference.

Skip to content