Case Studies

How Thales implemented developer-driven security

Published Jul 22, 2023

Background

Thales Group is a French multinational company that designs, develops, and manufactures electrical systems, as well as devices and equipment for the aerospace, defense, transportation, and security sectors. Viswanath S. Chirravuri, is the Software Security Technical Director at Thales. Viswanath, or Vis, started his career in security initially as a programmer. He is now a senior security leader at Thales, with more than 18 years of experience in the security industry, and holds more than 30 certifications, including CISSP, PMP, and GSE. He has educated over 3,000 software professionals in more than 18 countries. In addition, Vis won more than 10 SANS challenge coins in international cybersecurity tournaments (such as Netwars) and is an active member of the GIAC Advisory Board. We spoke with Vis to learn how he aligned people, processes, and technology to develop a successful secure code-learning program at Thales.

Situation

When Vis started at Thales, he coached business units to look at the source of vulnerabilities discovered via pen-testing as a possible solution to decrease the backlog of tech debt. The application security team used 7 different vendors they were working with to solidify their security posture - from IAST/ DAST tools to pen-testing tools. Vis wanted to understand the market trends and manage threats in a scalable manner to develop mitigation strategies through a strong integration between process and technology. This meant shifting from a purely tools-based approach to a strategy that had a strong learning component. He noticed that many of the developers didn’t have a security background or security skills. His initial approach was to provide classroom-based training for developers on topics like the OWASP Top 10, but he realized quickly that this was not going to scale with all the travel required to teach in person and the need to reach thousands of developers across the globe. Vis noted that:

“There is always going to be an imbalance in the ratio between security and development. Even if I had a 1:1 ratio of security to developers, I couldn’t keep them engaged all the time. Keeping our developers up to date on new attack vectors, best practices, new languages, and newly discovered vulnerabilities meant we needed to be able to promote self-learning by developers and have them be able to go at their own pace. If they need help, I could help them, but I realized that I couldn’t be the guy teaching them how to fix every vulnerability they find.”

Initially - there was pushback from development managers about the time investment developers would need to spend on secure code learning, recognizing that so many developers were starting from the ground up. Vis needed to manage the perception that a commitment to secure code learning might disrupt software release cycles or slow mission-critical sprints. He needed to find a way to properly motivate the organization to spend time on agile learning for secure code. Vis took a people-first attitude to address vulnerabilities at the source, “People often say that security is taking away time from development. For me, if you develop something and it’s insecure, it was a waste of time to begin with. You should always develop software to be secure and save yourself the time of having to fix the vulnerabilities that could have easily been avoided. We should all have the common goal of shipping reliable code.”

Action

Vis had two primary goals in mind: securing their software and raising security awareness in Thales’ developer teams. It was critical to implement a program that allowed developers to be independent and train at their own pace. Vis' strategy was to build a security community over time, working to link secure coding with corporate policies and developing a mandate for secure code learning in the organization. By encouraging a culture of community that connected developers, testers, architects, and engineers he saw a motivation multiplier effect. Security champions emerged that were passionate about security as a part of their day jobs helped spread awareness of secure coding practices across the organization. Vis evaluated more than a dozen security training vendors and became an SCW customer in 2019. For Thales, it was a huge benefit to have a vendor covering all the programming languages and frameworks in their environment instead of a piecemeal solution. Vis leaned on Secure Code Warrior’s huge volume of content to build training and self-paced learning for developers in the security program to access:

“The OWASP top 10 is not just simply just ten things you need to know. The depth and diversity of the vulnerabilities covered by OWASP combined with the sheer number of programming languages can be overwhelming - the wide range of challenges and coverage we have on these things was a key factor in choosing SCW. They are always adding new things. The depth, the diversity of topics, the up-to-date content, and the focus on secure code design principles really setSCW apart. With them, it’s not a one-time use training, instead, we gained the opportunity to build a continuous program.”

Vis and his team structured four levels of the secure code learning program rollout, with different milestones for each engineering role:

Awareness: Raises the basic level of security awareness and establishes a baseline for the developers’ knowledge of the security topic. Basic:  Teaches basic security skills like how to spot vulnerable code and understand common vulnerabilities. Autonomous: Uses vetted tactics to locate and remediate vulnerabilities with Secure Code Warrior’s guidance.  Expert: Becomes a defined security champion and expert in all relevant areas important to the business.

Importantly, SCW became the source of truth for vulnerability fixes. Instead of relying on Google searches that might lead you to troubleshoot, Vis published both guidelines from the AppSec team and ones from SCW’s content library so that developers could reference a trusted and authentic source for vulnerability fixes in the code. According to Vis:

“Developers shouldn’t be free to decide how to fix a vulnerability and potentially introduce a new vulnerability in the process. We integrated SCW videos into our LMS via SCW’s SCORM integration to make sure developers were learning how to fix the vulnerability in the right way. This also gave us a way to ensure that developers delivering secure software were being recognized. We ask them to achieve a certain level of secure coding and we can track that through the vulnerabilities they resolve and are not re-introducing. That way, the hard work they’ve done is recognized and valued in the company.”

Results

Vis and his team publish a monthly secure code newsletter where they can recognize the top learner in the company. They use SCW to look at assessment scores, tournament participation, and challenges played to amplify that achievement. This motivates other developers to learn too. The KPIs he initially set focused on reducing the overall number of vulnerabilities over 2 years. After implementing SCW, he noted a decreasing trend line. These vulnerabilities are not re-introduced at the source code level. Vis puts it this way:

"The KPIs we present to our management reflect that well-informed selection we made. We are proud that we have secure code training that delivers business confidence to our customers. We are recognized for our comprehensive secure code training program and are respected by our customers and peers. It adds a lot of value to your company when you have a program like this.”

Key takeaways

Vis recognized that people, processes, and technology all have a role to play in any security initiative. By focusing on the security of the software, developer knowledge, and meeting compliance - it’s possible to put together an agile learning for a secure code program that reduces vulnerabilities in the source code over time. Vis offers these recommendations to professionals in his field looking to build security skills in developer teams.

Focus on your people The value you place on secure code learning matters. Recognize developers’ knowledge gained, and offer the security certifications they get as achievements. This will motivate them and their peers to learn more. Link secure coding with corporate security policies and processes Create a mandate for developers to only use vetted security guidelines. Make sure developers know there is an authenticated source, instead of creating ambiguity in the process that could lead to more vulnerabilities being introduced. Find synergies with your internal systems and dev tools to reduce the time developers need to up-skill Delivering on time is important, but there should always be an emphasis on securing your software in order to save the time of having to fix vulnerabilities later.
Download PDF
View Resource
Download PDF
View Resource

In this case study, learn how Thales has developed people, process, and technology approaches for an agile secure code learning program in order to engage developers to become active security champions.

Interested in more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Published Jul 22, 2023

Share on:

Background

Thales Group is a French multinational company that designs, develops, and manufactures electrical systems, as well as devices and equipment for the aerospace, defense, transportation, and security sectors. Viswanath S. Chirravuri, is the Software Security Technical Director at Thales. Viswanath, or Vis, started his career in security initially as a programmer. He is now a senior security leader at Thales, with more than 18 years of experience in the security industry, and holds more than 30 certifications, including CISSP, PMP, and GSE. He has educated over 3,000 software professionals in more than 18 countries. In addition, Vis won more than 10 SANS challenge coins in international cybersecurity tournaments (such as Netwars) and is an active member of the GIAC Advisory Board. We spoke with Vis to learn how he aligned people, processes, and technology to develop a successful secure code-learning program at Thales.

Situation

When Vis started at Thales, he coached business units to look at the source of vulnerabilities discovered via pen-testing as a possible solution to decrease the backlog of tech debt. The application security team used 7 different vendors they were working with to solidify their security posture - from IAST/ DAST tools to pen-testing tools. Vis wanted to understand the market trends and manage threats in a scalable manner to develop mitigation strategies through a strong integration between process and technology. This meant shifting from a purely tools-based approach to a strategy that had a strong learning component. He noticed that many of the developers didn’t have a security background or security skills. His initial approach was to provide classroom-based training for developers on topics like the OWASP Top 10, but he realized quickly that this was not going to scale with all the travel required to teach in person and the need to reach thousands of developers across the globe. Vis noted that:

“There is always going to be an imbalance in the ratio between security and development. Even if I had a 1:1 ratio of security to developers, I couldn’t keep them engaged all the time. Keeping our developers up to date on new attack vectors, best practices, new languages, and newly discovered vulnerabilities meant we needed to be able to promote self-learning by developers and have them be able to go at their own pace. If they need help, I could help them, but I realized that I couldn’t be the guy teaching them how to fix every vulnerability they find.”

Initially - there was pushback from development managers about the time investment developers would need to spend on secure code learning, recognizing that so many developers were starting from the ground up. Vis needed to manage the perception that a commitment to secure code learning might disrupt software release cycles or slow mission-critical sprints. He needed to find a way to properly motivate the organization to spend time on agile learning for secure code. Vis took a people-first attitude to address vulnerabilities at the source, “People often say that security is taking away time from development. For me, if you develop something and it’s insecure, it was a waste of time to begin with. You should always develop software to be secure and save yourself the time of having to fix the vulnerabilities that could have easily been avoided. We should all have the common goal of shipping reliable code.”

Action

Vis had two primary goals in mind: securing their software and raising security awareness in Thales’ developer teams. It was critical to implement a program that allowed developers to be independent and train at their own pace. Vis' strategy was to build a security community over time, working to link secure coding with corporate policies and developing a mandate for secure code learning in the organization. By encouraging a culture of community that connected developers, testers, architects, and engineers he saw a motivation multiplier effect. Security champions emerged that were passionate about security as a part of their day jobs helped spread awareness of secure coding practices across the organization. Vis evaluated more than a dozen security training vendors and became an SCW customer in 2019. For Thales, it was a huge benefit to have a vendor covering all the programming languages and frameworks in their environment instead of a piecemeal solution. Vis leaned on Secure Code Warrior’s huge volume of content to build training and self-paced learning for developers in the security program to access:

“The OWASP top 10 is not just simply just ten things you need to know. The depth and diversity of the vulnerabilities covered by OWASP combined with the sheer number of programming languages can be overwhelming - the wide range of challenges and coverage we have on these things was a key factor in choosing SCW. They are always adding new things. The depth, the diversity of topics, the up-to-date content, and the focus on secure code design principles really setSCW apart. With them, it’s not a one-time use training, instead, we gained the opportunity to build a continuous program.”

Vis and his team structured four levels of the secure code learning program rollout, with different milestones for each engineering role:

Awareness: Raises the basic level of security awareness and establishes a baseline for the developers’ knowledge of the security topic. Basic:  Teaches basic security skills like how to spot vulnerable code and understand common vulnerabilities. Autonomous: Uses vetted tactics to locate and remediate vulnerabilities with Secure Code Warrior’s guidance.  Expert: Becomes a defined security champion and expert in all relevant areas important to the business.

Importantly, SCW became the source of truth for vulnerability fixes. Instead of relying on Google searches that might lead you to troubleshoot, Vis published both guidelines from the AppSec team and ones from SCW’s content library so that developers could reference a trusted and authentic source for vulnerability fixes in the code. According to Vis:

“Developers shouldn’t be free to decide how to fix a vulnerability and potentially introduce a new vulnerability in the process. We integrated SCW videos into our LMS via SCW’s SCORM integration to make sure developers were learning how to fix the vulnerability in the right way. This also gave us a way to ensure that developers delivering secure software were being recognized. We ask them to achieve a certain level of secure coding and we can track that through the vulnerabilities they resolve and are not re-introducing. That way, the hard work they’ve done is recognized and valued in the company.”

Results

Vis and his team publish a monthly secure code newsletter where they can recognize the top learner in the company. They use SCW to look at assessment scores, tournament participation, and challenges played to amplify that achievement. This motivates other developers to learn too. The KPIs he initially set focused on reducing the overall number of vulnerabilities over 2 years. After implementing SCW, he noted a decreasing trend line. These vulnerabilities are not re-introduced at the source code level. Vis puts it this way:

"The KPIs we present to our management reflect that well-informed selection we made. We are proud that we have secure code training that delivers business confidence to our customers. We are recognized for our comprehensive secure code training program and are respected by our customers and peers. It adds a lot of value to your company when you have a program like this.”

Key takeaways

Vis recognized that people, processes, and technology all have a role to play in any security initiative. By focusing on the security of the software, developer knowledge, and meeting compliance - it’s possible to put together an agile learning for a secure code program that reduces vulnerabilities in the source code over time. Vis offers these recommendations to professionals in his field looking to build security skills in developer teams.

Focus on your people The value you place on secure code learning matters. Recognize developers’ knowledge gained, and offer the security certifications they get as achievements. This will motivate them and their peers to learn more. Link secure coding with corporate security policies and processes Create a mandate for developers to only use vetted security guidelines. Make sure developers know there is an authenticated source, instead of creating ambiguity in the process that could lead to more vulnerabilities being introduced. Find synergies with your internal systems and dev tools to reduce the time developers need to up-skill Delivering on time is important, but there should always be an emphasis on securing your software in order to save the time of having to fix vulnerabilities later.
Download PDF
View Resource
Download PDF
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

Background

Thales Group is a French multinational company that designs, develops, and manufactures electrical systems, as well as devices and equipment for the aerospace, defense, transportation, and security sectors. Viswanath S. Chirravuri, is the Software Security Technical Director at Thales. Viswanath, or Vis, started his career in security initially as a programmer. He is now a senior security leader at Thales, with more than 18 years of experience in the security industry, and holds more than 30 certifications, including CISSP, PMP, and GSE. He has educated over 3,000 software professionals in more than 18 countries. In addition, Vis won more than 10 SANS challenge coins in international cybersecurity tournaments (such as Netwars) and is an active member of the GIAC Advisory Board. We spoke with Vis to learn how he aligned people, processes, and technology to develop a successful secure code-learning program at Thales.

Situation

When Vis started at Thales, he coached business units to look at the source of vulnerabilities discovered via pen-testing as a possible solution to decrease the backlog of tech debt. The application security team used 7 different vendors they were working with to solidify their security posture - from IAST/ DAST tools to pen-testing tools. Vis wanted to understand the market trends and manage threats in a scalable manner to develop mitigation strategies through a strong integration between process and technology. This meant shifting from a purely tools-based approach to a strategy that had a strong learning component. He noticed that many of the developers didn’t have a security background or security skills. His initial approach was to provide classroom-based training for developers on topics like the OWASP Top 10, but he realized quickly that this was not going to scale with all the travel required to teach in person and the need to reach thousands of developers across the globe. Vis noted that:

“There is always going to be an imbalance in the ratio between security and development. Even if I had a 1:1 ratio of security to developers, I couldn’t keep them engaged all the time. Keeping our developers up to date on new attack vectors, best practices, new languages, and newly discovered vulnerabilities meant we needed to be able to promote self-learning by developers and have them be able to go at their own pace. If they need help, I could help them, but I realized that I couldn’t be the guy teaching them how to fix every vulnerability they find.”

Initially - there was pushback from development managers about the time investment developers would need to spend on secure code learning, recognizing that so many developers were starting from the ground up. Vis needed to manage the perception that a commitment to secure code learning might disrupt software release cycles or slow mission-critical sprints. He needed to find a way to properly motivate the organization to spend time on agile learning for secure code. Vis took a people-first attitude to address vulnerabilities at the source, “People often say that security is taking away time from development. For me, if you develop something and it’s insecure, it was a waste of time to begin with. You should always develop software to be secure and save yourself the time of having to fix the vulnerabilities that could have easily been avoided. We should all have the common goal of shipping reliable code.”

Action

Vis had two primary goals in mind: securing their software and raising security awareness in Thales’ developer teams. It was critical to implement a program that allowed developers to be independent and train at their own pace. Vis' strategy was to build a security community over time, working to link secure coding with corporate policies and developing a mandate for secure code learning in the organization. By encouraging a culture of community that connected developers, testers, architects, and engineers he saw a motivation multiplier effect. Security champions emerged that were passionate about security as a part of their day jobs helped spread awareness of secure coding practices across the organization. Vis evaluated more than a dozen security training vendors and became an SCW customer in 2019. For Thales, it was a huge benefit to have a vendor covering all the programming languages and frameworks in their environment instead of a piecemeal solution. Vis leaned on Secure Code Warrior’s huge volume of content to build training and self-paced learning for developers in the security program to access:

“The OWASP top 10 is not just simply just ten things you need to know. The depth and diversity of the vulnerabilities covered by OWASP combined with the sheer number of programming languages can be overwhelming - the wide range of challenges and coverage we have on these things was a key factor in choosing SCW. They are always adding new things. The depth, the diversity of topics, the up-to-date content, and the focus on secure code design principles really setSCW apart. With them, it’s not a one-time use training, instead, we gained the opportunity to build a continuous program.”

Vis and his team structured four levels of the secure code learning program rollout, with different milestones for each engineering role:

Awareness: Raises the basic level of security awareness and establishes a baseline for the developers’ knowledge of the security topic. Basic:  Teaches basic security skills like how to spot vulnerable code and understand common vulnerabilities. Autonomous: Uses vetted tactics to locate and remediate vulnerabilities with Secure Code Warrior’s guidance.  Expert: Becomes a defined security champion and expert in all relevant areas important to the business.

Importantly, SCW became the source of truth for vulnerability fixes. Instead of relying on Google searches that might lead you to troubleshoot, Vis published both guidelines from the AppSec team and ones from SCW’s content library so that developers could reference a trusted and authentic source for vulnerability fixes in the code. According to Vis:

“Developers shouldn’t be free to decide how to fix a vulnerability and potentially introduce a new vulnerability in the process. We integrated SCW videos into our LMS via SCW’s SCORM integration to make sure developers were learning how to fix the vulnerability in the right way. This also gave us a way to ensure that developers delivering secure software were being recognized. We ask them to achieve a certain level of secure coding and we can track that through the vulnerabilities they resolve and are not re-introducing. That way, the hard work they’ve done is recognized and valued in the company.”

Results

Vis and his team publish a monthly secure code newsletter where they can recognize the top learner in the company. They use SCW to look at assessment scores, tournament participation, and challenges played to amplify that achievement. This motivates other developers to learn too. The KPIs he initially set focused on reducing the overall number of vulnerabilities over 2 years. After implementing SCW, he noted a decreasing trend line. These vulnerabilities are not re-introduced at the source code level. Vis puts it this way:

"The KPIs we present to our management reflect that well-informed selection we made. We are proud that we have secure code training that delivers business confidence to our customers. We are recognized for our comprehensive secure code training program and are respected by our customers and peers. It adds a lot of value to your company when you have a program like this.”

Key takeaways

Vis recognized that people, processes, and technology all have a role to play in any security initiative. By focusing on the security of the software, developer knowledge, and meeting compliance - it’s possible to put together an agile learning for a secure code program that reduces vulnerabilities in the source code over time. Vis offers these recommendations to professionals in his field looking to build security skills in developer teams.

Focus on your people The value you place on secure code learning matters. Recognize developers’ knowledge gained, and offer the security certifications they get as achievements. This will motivate them and their peers to learn more. Link secure coding with corporate security policies and processes Create a mandate for developers to only use vetted security guidelines. Make sure developers know there is an authenticated source, instead of creating ambiguity in the process that could lead to more vulnerabilities being introduced. Find synergies with your internal systems and dev tools to reduce the time developers need to up-skill Delivering on time is important, but there should always be an emphasis on securing your software in order to save the time of having to fix vulnerabilities later.
Interested in more?

Click on the link below and download the PDF of this one pager.

Download

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Share on:
Interested in more?

Share on:
Author
Published Jul 22, 2023

Share on:

Background

Thales Group is a French multinational company that designs, develops, and manufactures electrical systems, as well as devices and equipment for the aerospace, defense, transportation, and security sectors. Viswanath S. Chirravuri, is the Software Security Technical Director at Thales. Viswanath, or Vis, started his career in security initially as a programmer. He is now a senior security leader at Thales, with more than 18 years of experience in the security industry, and holds more than 30 certifications, including CISSP, PMP, and GSE. He has educated over 3,000 software professionals in more than 18 countries. In addition, Vis won more than 10 SANS challenge coins in international cybersecurity tournaments (such as Netwars) and is an active member of the GIAC Advisory Board. We spoke with Vis to learn how he aligned people, processes, and technology to develop a successful secure code-learning program at Thales.

Situation

When Vis started at Thales, he coached business units to look at the source of vulnerabilities discovered via pen-testing as a possible solution to decrease the backlog of tech debt. The application security team used 7 different vendors they were working with to solidify their security posture - from IAST/ DAST tools to pen-testing tools. Vis wanted to understand the market trends and manage threats in a scalable manner to develop mitigation strategies through a strong integration between process and technology. This meant shifting from a purely tools-based approach to a strategy that had a strong learning component. He noticed that many of the developers didn’t have a security background or security skills. His initial approach was to provide classroom-based training for developers on topics like the OWASP Top 10, but he realized quickly that this was not going to scale with all the travel required to teach in person and the need to reach thousands of developers across the globe. Vis noted that:

“There is always going to be an imbalance in the ratio between security and development. Even if I had a 1:1 ratio of security to developers, I couldn’t keep them engaged all the time. Keeping our developers up to date on new attack vectors, best practices, new languages, and newly discovered vulnerabilities meant we needed to be able to promote self-learning by developers and have them be able to go at their own pace. If they need help, I could help them, but I realized that I couldn’t be the guy teaching them how to fix every vulnerability they find.”

Initially - there was pushback from development managers about the time investment developers would need to spend on secure code learning, recognizing that so many developers were starting from the ground up. Vis needed to manage the perception that a commitment to secure code learning might disrupt software release cycles or slow mission-critical sprints. He needed to find a way to properly motivate the organization to spend time on agile learning for secure code. Vis took a people-first attitude to address vulnerabilities at the source, “People often say that security is taking away time from development. For me, if you develop something and it’s insecure, it was a waste of time to begin with. You should always develop software to be secure and save yourself the time of having to fix the vulnerabilities that could have easily been avoided. We should all have the common goal of shipping reliable code.”

Action

Vis had two primary goals in mind: securing their software and raising security awareness in Thales’ developer teams. It was critical to implement a program that allowed developers to be independent and train at their own pace. Vis' strategy was to build a security community over time, working to link secure coding with corporate policies and developing a mandate for secure code learning in the organization. By encouraging a culture of community that connected developers, testers, architects, and engineers he saw a motivation multiplier effect. Security champions emerged that were passionate about security as a part of their day jobs helped spread awareness of secure coding practices across the organization. Vis evaluated more than a dozen security training vendors and became an SCW customer in 2019. For Thales, it was a huge benefit to have a vendor covering all the programming languages and frameworks in their environment instead of a piecemeal solution. Vis leaned on Secure Code Warrior’s huge volume of content to build training and self-paced learning for developers in the security program to access:

“The OWASP top 10 is not just simply just ten things you need to know. The depth and diversity of the vulnerabilities covered by OWASP combined with the sheer number of programming languages can be overwhelming - the wide range of challenges and coverage we have on these things was a key factor in choosing SCW. They are always adding new things. The depth, the diversity of topics, the up-to-date content, and the focus on secure code design principles really setSCW apart. With them, it’s not a one-time use training, instead, we gained the opportunity to build a continuous program.”

Vis and his team structured four levels of the secure code learning program rollout, with different milestones for each engineering role:

Awareness: Raises the basic level of security awareness and establishes a baseline for the developers’ knowledge of the security topic. Basic:  Teaches basic security skills like how to spot vulnerable code and understand common vulnerabilities. Autonomous: Uses vetted tactics to locate and remediate vulnerabilities with Secure Code Warrior’s guidance.  Expert: Becomes a defined security champion and expert in all relevant areas important to the business.

Importantly, SCW became the source of truth for vulnerability fixes. Instead of relying on Google searches that might lead you to troubleshoot, Vis published both guidelines from the AppSec team and ones from SCW’s content library so that developers could reference a trusted and authentic source for vulnerability fixes in the code. According to Vis:

“Developers shouldn’t be free to decide how to fix a vulnerability and potentially introduce a new vulnerability in the process. We integrated SCW videos into our LMS via SCW’s SCORM integration to make sure developers were learning how to fix the vulnerability in the right way. This also gave us a way to ensure that developers delivering secure software were being recognized. We ask them to achieve a certain level of secure coding and we can track that through the vulnerabilities they resolve and are not re-introducing. That way, the hard work they’ve done is recognized and valued in the company.”

Results

Vis and his team publish a monthly secure code newsletter where they can recognize the top learner in the company. They use SCW to look at assessment scores, tournament participation, and challenges played to amplify that achievement. This motivates other developers to learn too. The KPIs he initially set focused on reducing the overall number of vulnerabilities over 2 years. After implementing SCW, he noted a decreasing trend line. These vulnerabilities are not re-introduced at the source code level. Vis puts it this way:

"The KPIs we present to our management reflect that well-informed selection we made. We are proud that we have secure code training that delivers business confidence to our customers. We are recognized for our comprehensive secure code training program and are respected by our customers and peers. It adds a lot of value to your company when you have a program like this.”

Key takeaways

Vis recognized that people, processes, and technology all have a role to play in any security initiative. By focusing on the security of the software, developer knowledge, and meeting compliance - it’s possible to put together an agile learning for a secure code program that reduces vulnerabilities in the source code over time. Vis offers these recommendations to professionals in his field looking to build security skills in developer teams.

Focus on your people The value you place on secure code learning matters. Recognize developers’ knowledge gained, and offer the security certifications they get as achievements. This will motivate them and their peers to learn more. Link secure coding with corporate security policies and processes Create a mandate for developers to only use vetted security guidelines. Make sure developers know there is an authenticated source, instead of creating ambiguity in the process that could lead to more vulnerabilities being introduced. Find synergies with your internal systems and dev tools to reduce the time developers need to up-skill Delivering on time is important, but there should always be an emphasis on securing your software in order to save the time of having to fix vulnerabilities later.

Table of contents

Download PDF
View Resource
Interested in more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts