This strategic shift, known as “Security by Design,” not only fortifies applications against potential threats but also delivers significant returns on investment (ROI) by reducing the cost and impact of security vulnerabilities.

The Imperative of Early Security Integration

The concept of “shifting left“—integrating security measures early in the software development lifecycle—has become a cornerstone of robust application security strategies.

This approach challenges the conventional methodology of treating security as a final step or a quality to be tested for after development. By embedding security principles from the very beginning, organizations can anticipate and mitigate risks before they manifest as costly vulnerabilities.

The Cultural Shift Towards Security by Design

Adopting Security by Design necessitates a profound cultural shift within organizations, transcending beyond mere technical adjustments. It requires the commitment and understanding of every stakeholder, from executives to developers.

The journey begins with education, ensuring that all parties comprehend the value and mechanics of proactive security measures. Following this, the organization must embed these principles into its processes, empowering development teams to incorporate security considerations inherently and autonomously.

Demonstrating ROI Through Security by Design

Quantifying the ROI of Security by Design is pivotal in securing executive buy-in and sustaining the initiative. This can be achieved by analyzing the cost savings from averting potential vulnerabilities, the reduction in risk exposure, and the overall enhancement of product quality.

For instance, the integration of security measures from the design phase can significantly reduce the number of high-risk vulnerabilities, translating into direct savings on remediation costs and minimizing the ‘window of risk’ during which applications are vulnerable to attack.

Overcoming Common Challenges

Implementing Security by Design is not without its challenges. Organizations often encounter obstacles such as resistance to change, misconceptions about the feasibility of early security integration, and difficulties in measuring short-term successes.

To overcome these, it’s crucial to address the common “anti-patterns” that can derail security initiatives, such as siloed efforts, lack of proactive metrics, and the failure to recognize security as a shared responsibility.

The Path Forward: A Framework for Success

A structured framework can guide organizations in effectively adopting Security by Design. This includes:

• Baseline Education: Building a foundational understanding of security principles across the organization.
• Embedding Expertise: Integrating security experts and champions within development teams to facilitate knowledge sharing and guidance.
• Empowering Teams: Providing the tools and autonomy necessary for development teams to implement security by design principles effectively.

The Bottom Line: Security as an Investment, Not a Cost

Security by Design is more than a cybersecurity strategy; it’s a business imperative that enhances operational efficiency, reduces risk, and ultimately contributes to the bottom line.

By embedding security into the DNA of application development processes, organizations can not only protect themselves against the ever-evolving landscape of cyber threats but also unlock significant economic value.

Ready to Shift Left with Security by Design?

At Security Compass, we empower organizations to integrate proactive security measures seamlessly into their development processes. Our comprehensive solutions and expert guidance can help your team navigate the cultural and technical shifts necessary to embrace Security by Design.

Don’t wait for vulnerabilities to dictate your security strategy. Contact us today to learn how you can proactively secure your applications and unlock the full ROI of your security investments.

The post Unlocking the ROI of Security by Design in Application Development appeared first on Security Compass.

The Awareness Challenge: Bridging the Knowledge Gap

One of the most significant hurdles in application security is the knowledge gap among software developers. Traditionally, security has not been a focal point in the curriculum for coding, leaving developers unprepared to tackle security challenges head-on. “Software developers don’t necessarily learn about security when they learn to code,” Rohit points out, highlighting a fundamental flaw in the development ecosystem.

The rapid pace at which new vulnerabilities emerge compounds this issue, making it increasingly difficult for developers, whose primary focus is functionality, to stay abreast of the latest security practices. This gap in knowledge and awareness is the bedrock of the challenge, underscoring the need for a paradigm shift towards integrating security principles right from the onset of the development process.

Empowering Development Teams: The Role of Embedded Security Expertise

To bridge this gap, Rohit advocates embedding security expertise directly within development teams. This approach ensures that security considerations are not an afterthought but an integral part of the development lifecycle. He introduces the concept of utilizing platforms like SD Elements, which provide comprehensive insights into known software weaknesses and preventative controls, seamlessly integrating into development processes and tools like JIRA.

Such platforms enable development teams to focus on delivering business value through feature development while ensuring security measures are implemented effectively. This facilitates a more secure development process and enables organizations to demonstrate compliance and maintain an audit trail of implemented security controls.

The Evolving Landscape: Security Requirements and Liability

Highlighting a real-world incident, Sethi discusses the Capital One breach, emphasizing the longstanding nature of vulnerabilities like SSRF (Server Side Request Forgery) and the lack of proactive measures to address such vulnerabilities. Looking forward, he points to regulatory changes, such as the EU Cyber Resilience Act, which mandates the integration of security throughout the development process and proposes liability for software vulnerabilities.

This evolving regulatory landscape necessitates a proactive approach to security, where developers must integrate the correct security requirements upfront and provide audit evidence of their implementation. Failing to do so increases the risk of breaches and exposes organizations to significant liability.

New Technologies, New Challenges: The Case of Generative AI

As new technologies like large language models and generative AI become more integrated into software products, new security challenges arise. Rohit highlights specific risks, such as prompt injection, associated with these technologies. He underscores the importance of implementing prescriptive security controls to mitigate such risks and demonstrate due diligence in the face of potential breaches.

The insights shared by Rohit Sethi underscore the multifaceted challenges of application security and the critical need for a paradigm shift towards integrated, proactive security practices. As technologies evolve and regulatory landscapes change, developers and organizations must prioritize security to safeguard against vulnerabilities and fulfill their responsibilities to users and stakeholders.

Ready to Elevate Your Application Security?

In today’s digital world, where security threats evolve as rapidly as technology, staying ahead requires more than just awareness—it demands action. Security Compass offers cutting-edge solutions designed to embed security expertise within your development teams, ensuring your applications are not just functional but fortified against the myriad threats they face.

Whether you’re looking to integrate security into your development lifecycle, comply with emerging regulations, or simply want to understand how to navigate the complexities of application security, we’re here to help. SD Elements provides a comprehensive framework for identifying and addressing software vulnerabilities, streamlining your path to secure software development.

Don’t let security be an afterthought. Contact us today to learn how Security Compass can empower your development teams to build not just innovative but secure applications that stand the test of today’s digital challenges.

Let’s work together to build a more secure future.

The post Overcome the Top 4 Application Security Challenges in 2024 appeared first on Security Compass.

As we unfold the layers of SOC 2 compliance and the dynamics of Just-In-Time Training in the following sections, you’ll discover how this targeted training strategy contributes to meeting strict regulatory requirements and empowers a security-first mindset among employees.

What is SOC 2 ?

The SOC2 framework is designed to assess the controls over information systems within a service organization, providing an independent, third-party attestation to these controls, often in response to demands from customers or regulatory bodies. The SOC2 controls are structured around the Trust Services Criteria (TSC) created by the AICPA, offering detailed guidelines for control implementation and design.

These controls are categorized into five core Trust Service Criteria:

1. Security: Establishing a security program to protect data from unauthorized access, loss, alteration, or destruction. This includes ensuring only authorized individuals can access data and systems, implementing encryption, and formulating disaster recovery plans.

2. Availability: Maintaining a level of service that meets predefined performance objectives. This criterion covers aspects like backup and recovery processes, incident management, business continuity planning, and capacity management.

3. Processing Integrity: Ensuring the integrity of system and data processing to prevent unauthorized changes, deletions, or disclosures. Controls under this criterion are designed to maintain data usability, availability, and reliability.

4. Confidentiality: Protecting information confidentiality to prevent unauthorized data access and disclosure. This involves implementing stringent access controls, encryption, secure communication methods, and measures to prevent session hijacking.

5. Privacy: Safeguarding personal information from unauthorized access and monitoring. This includes implementing controls for user authentication, encryption of data in transit and at rest, and protecting sensitive personal and group information such as health and financial data.

To maintain compliance, organizations must undergo regular SOC 2 audits, which reassure clients that their data handling methods meet stringent quality standards. The SOC 2 auditing process is designed to verify that service providers are managing data securely and safeguarding both their clients’ interests and privacy. These audits assess an organization’s systems and control effectiveness in safeguarding customer information. A crucial aspect of these controls is the expertise and skills of the involved staff, underscoring the importance of extensive, continuous training. Fostering an environment of continuous learning and awareness is not only encouraged but also required for maintaining SOC 2 compliance.

What is Just-In-Time Training ?

Just-In-Time Training is a form of training that uses microlearning principles to cover a question and provide immediate and relevant knowledge transfer when an employee’s job demands it. This method has some benefits that distinguish it from traditional, schedule-based training programs. Understanding these benefits is essential for organizations leveraging Just-In-Time Training to enhance their SOC 2 compliance posture.

1. Immediate Relevance: Just-In-Time Training is crafted to provide educational content that specifically tackles immediate and pertinent requirements.. For example, if an employee is about to work on a process that requires adherence to a specific SOC 2 control, JIT Training would provide a targeted lesson related to that control right before the task is performed.

2. Retention: Employees are more likely to retain and apply what they learn because the training is relevant to the task at hand. This method contrasts with comprehensive training that may overwhelm employees with information not immediately applicable, leading to quicker forgetfulness.

3. Flexibility: As regulations change or new threats emerge, Just-In-Time Training can quickly adapt, providing updated content to keep employees informed and competent in real-time, thus ensuring ongoing SOC 2 compliance.

4. Integration with Workflows: JIT Training often uses technology platforms that integrate with the employee’s workflow, making it seamless for users to receive training without disrupting their daily tasks.

Just-In-Time Training and SOC 2 Compliance

Just-In-Time Training directly supports SOC 2 compliance by aligning employee knowledge with the framework’s requirements. Let’s explore how this educational approach can be strategically applied to meet key aspects of the SOC 2 trust principles:

1. Security Principle: The primary concern of SOC 2’s Security principle is the protection against unauthorized access that could lead to data breaches. JIT Training can immediately instruct staff on new security protocols, patches, or policies, ensuring that everyone is informed and vigilant against potential threats as they arise.

2. Availability Principle: The availability principle emphasizes the importance of system operability and reliability. JIT Training can be deployed to educate staff on new or updated procedures related to system maintenance, performance monitoring, and incident response. This ensures that employees are equipped with the knowledge to maintain and restore system availability, aligning with the SOC 2 requirements.

3. Processing Integrity Principle: Ensuring that systems perform their intended functions without error or manipulation is the essence of the processing integrity principle. JIT Training can address this by providing immediate guidance on best practices, error avoidance, and quality control measures, thereby ensuring that data processing is accurate, timely, and efficient.

4. Confidentiality and Privacy Principles: JIT Training can be used to promptly update employees on changes to data handling policies and privacy regulations ensuring that sensitive information is protected in accordance with SOC 2 standards.

Implementing Just-In-Time Training for SOC 2 Compliance

Successfully integrating Just-In-Time Training into a SOC 2 compliance strategy requires intentionality, planning, and an understanding of your organization’s unique needs. To effectively bring JIT Training into your SOC 2 efforts, consider the following actions:

1. Conduct a Gap Analysis: Determine the sections within your SOC 2 compliance framework where instant training could yield the greatest benefit. Conduct a survey with employees to find out what types of information they need at their disposal.

2. Develop Relevant Content: Create bite-sized training materials that relate directly to identified gaps and SOC 2 requirements. Ensure the content is easy to digest and actionable by keeping things short and generating action lists targeted at one specific topic.

3. Implement Technology Solutions: Employ training platforms that integrate with employee workflows and can automate the delivery of Just-In-Time Training content whenever relevant. Examples of technology JIT training solutions include (but are not limited to)

• Mobile Learning through mobile apps connected to cloud-based LMS
• Performance Support Tools that help learners to complete their task by providing instructions in real-time.
• Content Library containing on-demand, pre-recorded tutorials to enable learners to explore a topic at their convenience without needing to show up at a certain time.
• Searchable Knowledge Bases that empowers employees to easily find the answers they need.

4. Monitor and Measure Effectiveness: Utilize training solution analytics to track employee progress and measure the retention and application of the training content. Regularly solicit employee feedback about the training they receive. Use this feedback to adapt and evolve training strategies to be more effective.

5. Cultivate a Compliance Culture: Encourage a workplace environment where continuous learning is valued and staying compliant is considered everyone’s responsibility as required in SOC 2 Trust Service Criteria.

Challenges

While JIT Training offers significant advantages, especially in the realm of SOC 2 compliance, there are hurdles that organizations may need to navigate. Some common challenges include:

1. Developing training material that remains relevant over time and adapts to regulatory updates and evolving threats is a continuous effort.
2. Promoting regular engagement with JIT Training can be difficult, especially if it is seen as an interruption to daily tasks rather than an integral part of them.
3. As an organization grows, scaling JIT training to accommodate more employees, roles, and evolving compliance requirements can be challenging. The training system must be adaptable and scalable to meet the changing needs of the organization.
4. Evaluating the effectiveness of JIT training can be complex. Organizations need to have clear metrics and tools in place to assess whether the training is meeting its objectives, particularly in the context of SOC 2 compliance, where the effectiveness of controls is paramount.
5. JIT training must be seamlessly integrated with existing workflows and processes. This integration can be challenging, especially if the existing infrastructure does not support agile and flexible training delivery mechanisms.
6. Ensuring consistency and standardization across JIT training modules can be difficult, particularly in larger organizations or those with multiple departments. The training content needs to be consistently high-quality and aligned with the organization’s SOC 2 compliance objectives.
7. Effective JIT training often relies on a robust technological infrastructure to deliver training content dynamically and on-demand. Organizations need to invest in the right technology platforms and tools to facilitate JIT training, which can be a significant hurdle, especially for smaller organizations.

Conclusion

We’ve touched on the pillars that make JIT Training effective, tied its concepts directly to SOC 2 compliance, outlined strategies for implementing it effectively, and covered common challenges. Throughout this exploration of Just-In-Time Training and its role in SOC 2 compliance, we’ve underscored that effective, timely training is important for building an informed workforce capable of responding to security challenges as they occur. By delivering concise, customizable, and relevant content, JIT Training helps ensure that staff are not only knowledgeable about SOC 2 requirements but are also applying them to protect customer data and maintain the integrity of service delivery systems.

The post Just-in-Time Training: A Key Component in Achieving SOC 2 Compliance appeared first on Security Compass.

What is the Cyber Security Framework (CSF)?

CSF is a voluntary framework initially designed for critical infrastructure organizations to measure, manage, and improve their cybersecurity posture. Its flexibility, breadth, and conceptual simplicity, along with having the backing of NIST, means that many organizations across all verticals and around the globe have adopted the CSF as a primary tool to communicate cybersecurity posture and priorities.

A common use of NIST CSF is for technology executives such as CISOs and CIOs to report to boards of directors on current and target states related to cybersecurity posture. According to IDC, over half of Fortune 500 companies with US headquarters have adopted the NIST CSF as their primary control framework for cybersecurity. Many international brands have cited NIST CSF in their annual reports or other public documents, including T-Mobile, Nielsen, Blackrock, TransUnion, Thompson Reuters, and Petrobras. Global consultancies such as PriceWaterhouseCoopers (PWC) offer guidance to boards on the CSF, and the National Association of Corporate Directors (NACD) cites CSF in its Cyber Risk Oversight Handbook.

While many other frameworks and control catalogs exist, the CSF is unique in its widespread acceptance across regions and industries by non-technical stakeholders.

The CSF’s Role in Shaping Cybersecurity Programs

Cybersecurity has an ongoing and often heated debate about the value of compliance vs. mitigating risk. Security practitioners often bemoan focusing on “checking the box” of compliance vs. spending time and effort on the organization’s most significant areas of risk. The debate will likely continue forever, but one thing is clear: compliance will always be a substantial driver of cybersecurity programs.

Finding the appropriate spend of time and effort in cybersecurity is no simple task. Leadership teams in any organization often seek concrete, measurable goals to help allocate resources for domains like cybersecurity. Measuring against an internationally recognized and credible framework like the NIST CSF can often have the additional benefit of satisfying many stakeholders, including auditors, regulators, and shareholders. Moreover, it creates a defensible position in the event of a security incident – a major topic of conversation at boards due to the SEC’s new rules on incident disclosure.

Organizations that adopt CSF often use Profiles that measure the current state across the various control categories, define a target state, and then use the delta to help build a roadmap for their security program. CISOs or other senior executives are often asked to periodically report progress to the board on that roadmap against the CSF target state.

The high-level visibility of the CSF often means that the entire cybersecurity program and budget are heavily influenced by the roadmap to achieving the target state. While the CSF is flexible and not prescriptive, the reality is that for many organizations, CSF creates a world of haves and have-nots for cybersecurity: anything described in the CSF Core and on the roadmap to target state is a priority. Anything that does not help achieve target state compliance is a lower priority unless it is a critical (i.e., imminently exploitable) risk or leaves the organization in non-compliance with regulatory requirements.

The CSF and Software Security

Partially because it was developed for critical infrastructure organizations rather than software manufacturers and partially because widespread awareness and acceptance of the importance of secure software development practices was relatively low compared to today, the NIST CSF 1.0 and 1.1 core did not contain many explicit references to software security. Many categories and subcategories could be interpreted to include software. For example: “ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk“ or “PR.IP-12: A vulnerability management plan is developed and implemented”. However, in most cases, the scope was broader than software. Moreover, the concept of security by design and integrating software at the beginning of the development process was not mentioned.

Secure SDLC and security-by-design are large programs that require organization-wide support and executive buy-in to be successful. When deciding which programs to fund and allocate headcount to, many organizations decided that the cost/benefit of investing in an extensive program like this was simply not worth it if it wasn’t on the CSF target state roadmap.

The Importance of Secure Software Development in Today’s Cybersecurity Landscape

In 2021, after many high-profile incidents, the president of the United States issued an executive order on cybersecurity that specifically called out software supply chain security. This was followed by a wave of government actions related to software security, including:

• Cybersecurity and Infrastructure Security Agency (CISA) and other governments around the world began to push the importance of secure by design software,
• NIST published the Secure Software Development Framework
• The Federal Communications Commission (FCC) established the Cyber Trust Mark program
• The Food and Drug Administration (FDA) pushed to improve product security of medical devices
• The European Union introduced the Cyber Resilience Act and proposed changes to liability to include software vulnerabilities

Spotlight on Platform Security: A New Paradigm in NIST CSF 2.0

One of the most significant changes to NIST CSF was its intended scope. Instead of focusing primarily on critical infrastructure, NIST CSF 2.0 is now designed for any organization.

NIST introduced the Platform Security category under the “Protect” function: “The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability.” Under platform security, NIST added a subcategory that specifically references secure software development: “Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.” Including this subcategory means anyone who builds software and wants to implement a secure SDLC program can do so knowing it will align with CSF.

Assessing Secure Software Development Current State

CSF defines four tiers for assessing the current and target states:

(Source: NIST CSF 2.0)

Most organizations looking to improve platform security will likely target Tier 3 or 4 in their end state. The NIST SSDF provides a comprehensive set of controls specific to secure development. In our experience, many organizations have implemented security testing and/or scanning and developer education but have not otherwise broadly rolled out secure SDLC activities such as threat modeling, defining security requirements, ensuring code integrity in the build process, etc. These organizations will likely self-assess as Tier 1 or Tier 2 in this category.

Next Steps: Achieving the Target State

Organizations looking to Target 3 or 4 for secure development should consider building a roadmap based on the NIST SSDF. We have published a guide to help you comply with the SSDF.

This is an excellent opportunity to build broad support for security by design. We recommend adopting the 3E framework to help ease the organization into the cultural change necessary: Educate development teams, Embed security ownership within the teams, and then Empower the teams to integrate security by design.

Conclusion: The Future of Software Security with CSF 2.0

The global influence of NIST CSF is unparalleled. Combined with the regulatory changes and other government actions related to software security, integrating security into the SDLC will no longer fall into the “have-nots” of a cybersecurity program. Practitioners who have seen their initiatives shelved year after year will finally have the organizational backing to push for fundamental changes in software development.

The downstream impact of software product manufacturers building more secure software will be felt by everyone. Fewer patches involving known, preventable security defects will lead to fewer incidents and increase public trust in technology. This is the very vision of Security Compass.

Contact us if you want to learn more about secure software development and how to start your program.

The post Navigating the New Frontier: NIST Cybersecurity Framework Version 2.0 and Its Emphasis on Software Security appeared first on Security Compass.

The importance of secure software to organizations becomes clearer each year. Web-facing software that manages sensitive data is an attractive target for malicious hackers. It can provide a pathway to data, including personally identifiable information (PII) that can be used for identity theft, personal health information (PHI) that can be leveraged for insurance fraud, financial data that can allow securities fraud, and intellectual property and trade secrets valued by competitors and nation-states.

The attacks take several forms. Criminals can take advantage of vulnerabilities in popular open-source projects to gain access to systems. This was the attack vector in the 2017 breach at the consumer credit reporting agency Equifax that exposed personal data of 143 million consumers. Similar vulnerabilities in commercial software offer similar access.

No organization is “under the radar” for criminals. Supply chain security is necessary in today’s interconnected world. A weakness in a vendor’s or partner’s security profile can introduce risk to its customers. The 2022 Verizon Data Breach Investigations Report showed that 62% of system intrusion incidents came through partners and other third parties. These include the 2020 SolarWinds Breach and this year’s vulnerability in Progress Software’s MOVEit file transfer software. The latter attack (attributed to Russia) resulted in the exposure of hundreds of thousands of emails from the Departments of Defense and Justice, personal data on over 800,000 Sutter Health patients, and nearly the entire population of the State of Maine.

Traditional Approaches to Application Security Present Challenges

The demand for more secure applications has never been higher. Unfortunately, traditional approaches to building secure software simply do not work in today’s environment. The “find and fix” approach requires teams to test software late in the development process using static and dynamic analysis tools to identify vulnerabilities. Here are a few key challenges that exist for Application Security professionals and development organizations:

• Developers are not trained in security development: Security is usually not part of the functional specification of software. Indeed, software development teams have always been measured on a functional basis. If they delivered features on time, they were doing their jobs right. Security was never considered until 20 years ago, and secure coding is still rarely taught in computer science programs.
• Scalability: Both classes of scanning tools can produce thousands of results, the majority of which are often false positives or “informational” alerts. Discerning true positives from false positives can be arduous; examining a single finding requires 10 minutes on average. In other words, triaging only 240 issues requires 40 hours — a workweek — of effort. Few organizations have sufficient resources for this exercise and instead, simply assign all findings to development.
• Scarce security resources: According to the ISC2 2023 Cybersecurity Workforce Study, there are over 4 million unfilled cybersecurity positions, including more than 500,000 in North America and over 340,000 in both Latin America and Europe. Three-quarters of cybersecurity professionals perceive the present threat environment as the most demanding in the last half-decade. At the same time, just over half, at 52 percent, are confident that their organization has the necessary tools and personnel to address cyber incidents in the upcoming years. The “find and fix” approach requires extensive security expertise. Static analysis tools can be difficult to deploy and manage. Dynamic analysis requires a trained security resource and a staging environment. Providing guidance on the proper method for remediating vulnerabilities strains already scarce application security resources.
• DevSecOps can complicate security: Development teams often face tight deadlines and resource constraints, prioritizing the delivery of features more quickly than ever. Rapid development methodologies like agile, DevSecOps, and Continuous Integration/Continuous Deployment (CI/CD) have grown in popularity. More rapid development and deployment methods are incompatible with many traditional security testing tools that require hours or days to complete. Testing for security after a build lengthens remediation efforts. Unfortunately, pressure to provide features previously promised to customers and stakeholders means many of these vulnerabilities may not be remediated prior to releasing the software.

Security by Design Mitigates Risk

A better approach is to build security into applications from the very beginning of the development process. Security by Design is an approach endorsed by CISA, the National Security Agency, and the Department of Justice in the United States, along with more than a dozen government agencies across the world, including:

• The Canadian Centre for Cyber Security
• The United Kingdom’s National Cyber Security Centre
• The Organization of American States covering North, Central, and South America
• Germany’s Federal Office for Information Security
• The Norwegian National Cyber Security Centre
• The Australian Signals Directorate
• New Zealand’s certnz
• Netherland’s National Cyber Security Centre
• Israel’s National Cyber Directorate
• Agencies representing the governments of Japan, Singapore, and the Czech Republic

What is Security by Design?

CISA defines Security by Design as a development process “that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.” In short, it requires teams to perform a risk assessment to anticipate threats and risks to a product or application, then build protections into the application as part of the normal development process.

Why Security by Design Makes Sense

Building security into a software development process offers several benefits to organizations. Aside from simply protecting their own assets, a program that emphasizes building secure software can also:

• Reduce risk: Vulnerabilities found late in the development process are often added to “technical debt” due to perceived pressure to release new features. In other words, vulnerable software is shipped with the intent to address vulnerabilities in a subsequent release. Security by Design minimizes vulnerabilities by anticipating threats and risks.
• Reduce operational costs: While testing late in the development process will certainly uncover vulnerabilities, it comes at a high price. IBM (among others) has studied this and determined that a vulnerability discovered in system tests costs over 40 times more than if the bug was found and fixed during the design or coding phase. Those found in released software cost organizations over 600 times more!
• Minimize legal liability: The US government announced its National Cybersecurity Strategy. The strategy “seeks to build and enhance collaboration around five pillars.” Pillar 3 – “Shape Market Forces to Drive Security and Resilience” – is particularly important to organizations building software. Strategic objective 3.3 is to “…shift liability [for insecure software products and services] onto those entities that fail to take reasonable precautions to secure their software…” This is a significant shift. In the past, software users have borne the risk of vulnerabilities. This strategy turns that paradigm on its head. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), took it further. During a speech in 2023, she stated, “…government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract…”
• Provide competitive advantages: A study by Prevalent found that 71 percent of organizations surveyed cited their top third-party risk as “a data breach or other security incident due to poor vendor security practices.” As concerns about supply chain security continue to grow, many organizations are conducting risk assessments of potential vendors and partners. Vendor risk assessments for software include reviewing an organization’s practices and controls to identify and mitigate risk from vulnerabilities, including physical security risks that could arise from poorly implemented software controls.
• Improve security at scale: Embedding security practices in the initial phases of application development allows development organizations to anticipate and address security issues at the design stage. By laying a secure foundation, organizations can scale their applications more confidently. As the application grows or evolves, the inherent security measures provide a stable and secure base for expansion, reducing risks associated with scaling.
• Consistent Security Standards: Security by design and secure coding guidelines encourage the establishment of consistent security standards and best practices across all phases of the development process. This consistency ensures that security threats and corresponding countermeasures are applied uniformly from project to project, reducing the risk of overlooking vulnerabilities.

Implementing Security by Design When Resources are Limited

While the shortage of security workers is real, there are strategies organizations can implement to compensate. Specifically, ongoing education and training can help shrink the skills gap by providing existing workforces with new security skills or in other cases by bridging the gap with the expansion of roles to better cover domains of application and product security. Training your development organization is certainly part of this strategy, however, we recommend going beyond foundational security training and having role-specific training for leaders who can help the organization achieve their security by design vision. When resources are limited, organizations should seek to optimize those who are already in key development roles with Security Champions training. This tactic can scale a security initiative by drawing in people without formal cybersecurity experience and giving them specific security training that builds on their key roles as the builder of good and secure code.

What is a Security Champion?

A Security Champion is an individual within an organization who acts as an advocate for security-related matters. They play a critical role in enhancing an organization’s Cyber security posture by bridging the gap between understaffed security teams and other departments or teams within the company.

Security Champions do not need to be senior development personnel. Those people already have multiple responsibilities. Likely candidates can include software engineers, testing, and software architects. The most critical criteria are involvement with the day-to-day development process and an understanding of the team’s goals, processes, and culture. As members of the technical team, Security Champions bridge the gap between the needs of security and the demands of business and engineering. They understand the need for quick-release cycles and can identify whether processes are effective or ineffective.

Security Champions are a Force Multiplier

Teams responsible for application security are dwarfed in size by development teams. The BSIMM 13 study by Synopsys analyzed 130 organizations and a total of over 400,000 developers managing over 145,000 applications. The average ratio of developers to Software Security Group members was 122:1. From an application standpoint, there was one Software Security Group member for every 43 applications!

Security Champions act as a force multiplier, extending the reach of security teams and promoting a security culture. They allow organizations to scale security and embed it within development teams. As developers first, they have a true understanding of the responsibilities of the development team and the requirement and pressures to ship functional software on time. Then, with their additional security training and investment in security as a priority and as another important feature of their end product, they are able to advocate for security requirements sooner and more consistently within the development cycle. When an organization has more people thinking about security as they do their jobs, they are likely to produce more secure software.

Making Security a Business Priority

Embedding Security Champions in the development team provides the developer organization with a stake in understanding and implementing security requirements instead of a “top-down” imposition of security requirements. Having Security Champions changes the developer experience and their interaction with security. It reduces organizational friction, changing the paradigm from meeting unknown security requirements to one where security is a shared business priority and teams have a common objective.

How to Build a Successful Security Champions Program

We have long advocated for Security by Design and Security Champions. Our work with clients has revealed six “markers of success” that distinguish successful programs that allow organizations to ship their applications with confidence when they secure software and applications by design:

1. Align on How You’ll Measure Success

Most successful organizations started their programs by assessing the security posture and maturity of their development teams as well as gaining agreement on the best security frameworks to follow. To set reasonable expectations, they also agreed on what Key Results they needed to achieve. These included the number of security champions trained, the number of security champions deployed, and the number of development teams with champions embedded. This allowed them to set appropriate goals and track progress over time.

2. Making Security Training “Sticky”

Learning is a process, not an event. Event-focused training, training by mandate, and other training pitfalls can backfire on an organization. We saw higher success when the development organizations were engaged with training material on a frequent basis. Material must be relevant to each individual’s role and responsibilities. Tailored learning paths that provide just enough relevant training can help prevent information overload and keep learners engaged. Contextual, Just-in-Time training that is embedded in security requirements tasks is best to support with reinforcement of security knowledge right when it’s needed.

3. Commitment to a Changed Culture

Security by Design and Security Champions require a change in culture. This can include security personnel sharing responsibilities they previously “owned.” To help break down barriers, one organization assigned eight cybersecurity experts for each area of expertise to act as mentors to the Security Champions. Another established a formal communication channel between Application Security, Security Champions, and Development teams to encourage exchanges. Leaders who align their objectives for security by design and communicate their progress against key security initiatives are communicating to the organization that they are committed to making a change in their approach and process.

4. Champions Among Peers

When only security and development leaders act as security champions, rank-and-file team members look at the program as being the responsibility of “management.” Culture change requires champions among peers. We found that organizations that adopted self-nominated Champions were able to better effect change. Seeing security advocates working shoulder to shoulder with the frontlines sustains what’s communicated top-down with execution from the bottom up.

5. Executive Sponsorship

Senior leadership support across departments is crucial to any successful program. This is particularly true when committing to Security by Design and Security Champions. Adopting these initiatives can include changed processes, responsibilities, and goals. We found that commitment to changing to a culture of security – including when this could delay a release – trickled down into commitment at every level of the organization. Having C-suite leaders affirm the value of security and its importance as a key company initiative goes a long way. This communicates the magnitude of security by design as a business requirement, not just a problem for security leaders to solve.

6. Include the Right Tools

People and processes are a big part of a successful program. However, the right technology allows processes to scale in a consistent and repeatable manner. Software manufacturers with mature security capabilities may turn to threat modeling tools to achieve their security by design vision. For example, our threat modeling and secure development platform, SD Elements, has been integral to our customers’ security by design journeys. It allows teams to automate threat modeling and create secure, compliant software by design. SD Elements provides teams with consistent and effective countermeasures at scale. These are automatically assigned to the appropriate personnel for implementation during appropriate phases of the normal development process. Supported by role-based Application Security Training, our customers have trained their developer workforce in security. They have also stood up Security Champions programs, which helped them put Security by Design into practice. Security Champions embedded within the development organization advocate for these security processes and support the scaling and adoption of Security by Design practices, especially when empowered with the right technology.

The Need for Security by Design

In today’s fast-paced and risk-laden digital landscape, embracing Security by Design is not just a recommendation; it’s a necessity. An organization that is educated in security by design and has embedded Security Champions will be better positioned to execute security by design principles all throughout the Software Development Life Cycle and foster a resilient and security-conscious culture across your teams.

Navigating this transformative journey requires expertise, strategic insight, and the right tools. This is where Security Compass steps in as your trusted partner. We’re not just advocates of Security by Design; we have pioneered security skills training and secure development tools that help you achieve it. We help you to confidently tackle security challenges head-on and secure your software by design and all throughout your development lifecycle.

Reach out to Security Compass today to chart your course toward a more secure digital future. Book a demo with us today and take the first step towards transforming your security landscape with Security by Design.

The post Optimizing Security by Design Through Training and Security Champions appeared first on Security Compass.

Delivering on this business priority begins with rolling out an Application Security training program within your organization.

What is an Application Security Training Program

An AppSec training program is essential to a successful application security program and process. As the threat landscape continues to evolve, organizations must prioritize security at every level of the development process to stay ahead of the curve. Empowering dev teams is an effective and cost-efficient building block in building out a successful application security program.

An application security training program should:

• Establish a knowledge baseline for staff at various experience levels.
• Include comprehensive training that teaches software development teams about code vulnerabilities and compliance.
• It should be relevant to the technological stacks that your organization uses.
• The training program should, at minimum, cover various security concepts such as secure coding practices, threat modeling, regulatory compliance, and security testing.
• Ideally, courseware should have content that is delivered in a format that is engaging and can be easily consumed by the audience to maximize their valuable time investment.

7 Benefits of Application Security Training

Here are some benefits of implementing an AppSec training program to the success of your organization’s overall AppSec program and process:

1. Reduced Risk of Data Breaches

Data breaches can cause irreparable damage to an organization’s reputation, financial stability, and customer trust. An application security training program can help reduce the risk of data breaches by teaching developers how to prevent, identify and fix vulnerabilities in their code before going to production. By creating a culture of security awareness and best practices, your organization can minimize the likelihood of a successful attack.

2. Improved Code Quality

An application security training program can also lead to improved code quality. When developers understand how to write secure code, they can create applications less prone to security vulnerabilities. This can result in fewer bugs, increased reliability, and faster development cycles, given more proactive processes and less rework time.

3. Compliance with Industry Standards

Many industries have regulatory requirements for security and data protection. Implementing an application security training program can help your organization comply with these standards. By training your developers in secure coding practices, you can demonstrate your commitment to security and avoid costly fines and legal issues with attestations on which languages and frameworks your developers have been trained.

4. Cost Savings

Investments in an application security training program can lead to cost savings in the long run with improved productivity.. By identifying and fixing security vulnerabilities early in the development process, you can avoid costly rework and remediation efforts down the line. This can result in faster time to market, increased efficiency, and, ultimately, a higher return on investment.

5. Increased Customer Trust

Customers today are more security-conscious than ever before. By implementing an application security training program, you can show your customers that you take their security seriously. This can help build trust and confidence in your organization and increase customer loyalty when customers can expect products that are secure by default.

As the threat landscape evolves, organizations must prioritize security at every level of the development cycle to stay ahead of the curve.

6. Competitive Advantage

Whether competing for customers or top staff, security training benefits your organization in both areas. The goal of retaining customers and quality employees both benefit from your organization’s ability to empower your staff’s professional development in this underserved area. Plus, it directly correlates to the timely delivery of secure/quality products.

7. Staff Enablement (Product Security & Role Security Awareness)

Roles that develop and deliver products plus manage 3rd party vendor components such as engineers, security, architecture, threat modeling, plus supporting functions are on the front lines of delivering secure and risk-free products to your customers. Since post-secondary institutions are behind the curve on delivering graduates with the AppSec skill set that industry players need, establishing baseline roles and domain-specific knowledge to critical path staff is necessary for many organizations.

How To Roll Out an AppSec Training Program

Creating and rolling out an impactful, well-received, and successful organization-wide skills training program can be daunting. However, with the right planning, strategy, and execution, it can be a rewarding experience for both the organization and its employees.

9 Steps to Safeguard Your Training Initiative’s Success

Here are some best practices to consider when creating and rolling out an organization-wide security skills training program:

Step 1. Identify Learning Objectives

The first step in creating an organization-wide security training program is identifying the learning objectives. What are the skills or knowledge areas that the organization wants its employees to learn or improve? Identifying specific learning objectives that align with the organization’s goals and objectives is essential.

Step 2. Define the Target Audience

Once the learning objectives have been identified, the next step is to define the target audience. Who are the employees that will benefit from the training program? It is essential to consider the roles and responsibilities of the employees, as well as their skill levels, to ensure that the training program meets their needs.

Step 3. Choose a Training Methodology that can Scale

Choosing the right training methodology and training vendor is crucial for the overall program’s success. Organizations need a combination of content and delivery methodology that scales across the organization, is well-received by the audience, and provides measurable impact. It is essential to choose a method that is engaging, interactive, and effective.

Step 4. Develop Engaging Content

Developing engaging content is essential to the success of the training program. The content should be relevant, up-to-date, and easy to understand. It should also be interactive and include practical examples that employees can relate to their day-to-day work.

Step 5. Reinforcement and Ongoing Support

Providing ongoing support is crucial for the maturing of your training program. Providing employees with access to resources, a breadth of content for continuing education, job aids, and reference materials that they can use to reinforce their learning. Industry-standard certification paths, Security Champions programs, manager/security champion-led remediation, coaching and feedback to employees will also help them apply their newly acquired skills. Training isn’t a one-time event. Reinforcement is needed, and empowering your employees with just-in-time and just enough training reinforces and directly coaches, applies, and measures the progress of security concepts against real-world applications for developers while on the job. Consider how your tools for secure development help your employees identify requirements and security issues as well as have reference-able examples for remediating them with countermeasures.

Step 6. Top-Down Mandates and Measurement of the Program’s Effectiveness

Measuring the program’s effectiveness is crucial to ensure that it meets the organization’s goals and objectives. Executive promotion and mandates lead driving security cultural change. It is essential to track employees’ progress and assess their learning outcomes. This will help the organization identify any gaps and make the necessary adjustments to the program. Rewards. Exclusive memberships and competitions around training goals is a long-term and sustainable way to leverage human nature competitiveness and add a gamification “fun” aspect to your program.

Step 7. Communicate the Benefits & Success

Communicating the benefits of the training program to employees is crucial to its success. Employees need to understand why the program is important and how it will benefit them in their current role and in their career development. It is also important to communicate the program’s impact on the organization and its strategic goals. Use of leader boards and organizational dashboards is an effective way to provide continuous communication of the organization’s progress, add some competitive motivation, drive cultural norms plus drive executive urgency.

Step 8. Third-Party Affirmation

Most teams have the best intentions, but additional motivation could only help since they usually also have a competing to-do list. One such motivator is to leverage your training program to support an employee’s desire to obtain Industry recognized 3rd party certifications such as those from ISC2. Look for courseware that is accredited by ISC2 towards obtaining annual CPE credits plus which prepares your staff to write an ISC2 accredited certification exam. This maximizes employee time, provides an additional layer of resume padding accomplishment, creates the foundations for a Security Champions program around and stimulates team competitiveness to achieve the corporate gold security standard along with its accolades.

Step 9. Establish a Time Efficient Annual Knowledge Assessment Baseline that is Tied to Employees’ Objectives and Key Results

Staff often ask, “Why do I need to take this course again since I took it last year?“. Since developer time is a valuable commodity, that’s a fair question.

The answer is you may not need to invest an hour of your time to retake the course, but you do need to demonstrate that you meet a knowledge baseline. To meet annual contractual/regulatory compliance criteria or to maintain your risk reduction security culture, a reportable self-service assessment will easily demonstrate up to the Executive Board level that you are maintaining your security knowledge baseline.

Security Compass’ Application Security Training courses are designed with this flexibility in mind. Individual courses can benefit various knowledge and experience levels within an organization.

Many organizations have established annual guidelines for Security Awareness training for all employees in order to reduce exposure to risks.

Be it Security Awareness, AppSec Fundamentals, OWASP Top 10, etc., Security Compass’ Application Security Training  courses are designed to be flexible and efficient for the use case of enabling knowledge self-assessment. As part of an annual Security Training Program requirement, they allow staff to jump straight to the final 10-minute exam to prove what they know in order to comply with annual Human Resources requirements. With real-time feedback, if a user fails the exam, they can focus their efforts on reviewing just the topics that they are weak on,  then successfully rewrite the exam.

Consider the benefits of importing this type of LMS reporting into your HR system and/or org performance dashboards to drive the company culture aspect.

That is a win-win scenario for both the organization and staff.

Conclusion

Creating and rolling out an organization-wide AppSec training program can be challenging, but it is essential for the organization’s and its employees’ success. By following these best practices, organizations can develop a training program that is impactful, well-received, and successful in achieving its goals and objectives.

Security Compass is here to assist you from start to finish. We work with customers from start-ups to multinationals in all phases of their program maturity.

From a start of security awareness training for team members  to full fledged role-based learning paths  to support for senior Dev staff security Champions programs via ISC2  TM recognized certification path and bragging rights. AppSec training is a sound  foundation for and a great starting point to rolling out an AppSec program.

The post The Ultimate Guide to Building an Application Security Training Culture & Program appeared first on Security Compass.

A Short History of the PCI DSS

As eCommerce grew in popularity during the DotCom era, so too did credit card fraud. In the early 21st century credit card companies began issuing security standards for their merchants and payment processors. To simplify compliance, in 2004 Visa, Mastercard, American Express, Discover, and JCB introduced the Payment Card Industry Data Security Standard (PCI DSS). Version 1 of the standard was designed to establish a common set of security requirements for all merchants and service providers that handle credit card information.

The initial versions of the DSS were brief while managing to cover the primary threats faced by organizations at that time. While the wording has changed a little, Version 1.1, introduced in 2006, covered the same six domains still used today. Logging in at just 17 pages (including cover pages and appendices) it helped organizations mitigate threats by deploying firewalls, encrypting data, and developing secure systems.

PCI DSS 4.0

In response to changing threats, in March 2022 the PCI Security Standards Council released PCI DSS v4.0. While the standard maintains the six domains and 12 requirements of the original versions, it now covers over 350 pages of guidance and prescriptive controls. Compared to version 3.2.1, PCI DSS 4.0 includes over 80 evolving requirements, including 60 new requirements. These range from encryption algorithms used to render PAN unreadable on removable electronic media to new requirements exclusively for service providers.

Given the vast changes in 4.0, the Council is allowing organizations and auditors time to prepare for compliance. Many of the new requirements are “future dated” and not required until March 31, 2025. In the meantime, they are considered “best practices’ ‘. Organizations are encouraged to implement these items but are not required to validate the controls. The timeline below from the PCI Security Standards Council provides further color.

Requirement 6: Develop and Maintain Secure Systems and Software

Just as the PCI DSS has changed to address emerging needs, so too have software development processes. Long gone are the days of quarterly releases and minimal security checks. Today’s development teams must meet faster release cycles with more stringent security requirements. The need for developer-centric security has never been greater.  Something about changes to software development over the past years (faster release cycles/more focus on security/shift left)

For this reason  we want to focus on the changes in Requirement 6 that pertain to building more secure software.

Requirement 6.1:  Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.

Beginning a security program requires organizations to establish policies and best practices. Requirement 6.1 is designed to track that and ensure that organizations develop, maintain, and follow secure coding practices for applications they develop and that these practices are integrated into the software development life cycle.

Requirement 6.1.2: Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.

Effective Date: Immediate for all v4.0 assessments

6.1.2 is new. Similar language is  also present in all requirements. Previous versions of the PCI DSS rarely required documenting which roles had day-to-day responsibility for each activity. It appears the Council has recognized that group accountability is insufficient in ensuring security and that PCI compliance must be part of an organization’s “business-as-usual” processes. It recommends auditors “Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement 6 are documented and assigned.”

Requirement 6.3 Security vulnerabilities are identified and addressed. 

The security efforts of many organizations focus on Requirement 6.3. The requirement is far reaching and is also referenced in across other Requirement 6 sub-requirements as well as Requirement 2.2 (System components are configured and managed securely), Requirement 11.3 (External and internal vulnerabilities are regularly identified, prioritized, and addressed), 11.4 (External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected), and others.

6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management. 

Effective Date: March 31, 2025.  Best practice until effective date. 

Requirement 6.3.2 is a significant change to the DSS. It also is not a surprise to anyone who has been following application security in recent years. According to the 2023 Open Source Security and Risk Analysis report from Synopsys, open source comprises 76 percent of the average commercial application. 84 percent of those code bases included at least one vulnerability in open source components, and 48 percent contained high risk vulnerabilities.

Vulnerabilities in open source are particularly troublesome. Identifying zero-day vulnerabilities in custom applications is difficult. Publicly disclosed vulnerabilities in open source components can be repurposed easily by attackers to identify vulnerable systems. This threat gained a lot of attention after the Equifax breach in 2017. More recently, Executive Order 14028 requires organizations providing software to the US government to include a Software Bill of Materials, or SBOM. Many organizations recognized this threat years ago and began tracking the open source they use. PCI DSS 4.0 makes it a requirement.

6.4 Public-facing web applications are protected against attacks. 

Publicly facing web applications are the perimeter for sensitive information. Adversaries have unfettered access to these applications, and coding errors, design flaws, or misconfigurations can provide easy access to sensitive data.

6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 

•      Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 

•      Actively running and up to date as applicable. 

•      Generating audit logs. 

•      Configured to either block web-based attacks or generate an alert that is immediately investigated. 

Effective Date: March 31, 2025.  Best practice until effective date

Requirement 6.4.2 is a reminder that – even in the most diligent development environments – residual risk can remain. An “automated technical solution” like a web application firewall (WAF) is designed to protect web applications from threats such as Denial of Service (DoS), SQL injections, and Cross-site scripting attacks.

An interesting aspect of the 6.4.2 is the requirement to “prevent” web-based attacks. Most organizations deploy WAF to generate alerts rather than block all suspicious activity, since the latter can also result in false positives that block legitimate traffic. One assumes that a WAF that prevents some attacks (through rate limiting to block brute force attacks) will meet auditors’ requirements.

6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: 

•      A method is implemented to confirm that each script is authorized. 

•      A method is implemented to assure the integrity of each script. 

•      An inventory of all scripts is maintained with written justification as to why each is necessary. 

Effective Date: March 31, 2025.  Best practice until effective date.

Like Requirement 6.3.2, the Requirement necessitates visibility to potential threats, including the creation and ongoing management of an inventory of payment page scripts used in an application. The DSS suggests teams can meet this requirement through the use of SubResource integrity (SRI) and Content Security Policy (CSP) controls.

How SD Elements Helps

Version 4 of the PCI DSS introduces 60 new requirements with which development, security, and operations teams must comply. But it is just one of many regulatory requirements organizations must anticipate, understand, and validate their applications. Keeping controls current with rapidly changing and often overlapping requirements can challenge even the most well-staffed and funded organizations.

The key to compliance is visibility to requirements and consistency in approved security controls. Testing for compliance at the end of the development process slows down development and contributes to friction between development, compliance, and security teams. Teams can only maintain compliance while meeting aggressive product delivery goals by anticipating each requirement and assigning controls to appropriate team members prior to beginning development.

While many of the new requirements will not be enforced until 2025, smart organizations are preparing today. SD Elements provides teams with a simple method for complying with PCI DSS and scores of additional security and privacy guidelines. It includes developer-centric recommendations for how to satisfy PCI-DSS v4.0 requirements, including specific countermeasures and e-learning coursework.

Using SD Elements is simple. It starts with a short survey describing an application’s technical stack, deployment environment, and relevant regulatory guidelines. SD Elements translates these into a list of security requirements and actionable controls that are assigned to development, security, and operations personnel through their normal workflow. Making PCI DSS compliance part of your “business as usual” operation minimizes the chance of compliance violations and ensures developers are leveraging a secure, reliable source of information.

Ready to see what SD Elements can do? Book a demo!

The post Preparing for PCI DSS V4 appeared first on Security Compass.

But do you actually have everything you need for successfully rolling out your security training program?

To ensure that your investment in security training gives your organization the best return, organizations like yours need to balance a formula for success. Take the time to map out how people, processes and technology will come together for the successful rollout of your security training program.

When you’ve finished reading this, you will better understand how you can set yourself up for success and get a great return on your investments in security training.

Start with a clear view of your training landscape. You need to be aware of common blockers to successfully execute training programs and how to work through and around them. 

A) Champion Change

Naysayers and resistors can adversely influence your training culture. Make sure you have alignment across your organization that learning, and especiallysecure development training, is integral to your company culture. You can be severely blocked if there is negativity towards the pursuit of new knowledge and a mindset of learning.

You need to champion change in your organization. Champions for security training will influence your team to embrace mandated training and the necessary security learning. Identify those who understand the value of training, particularly of security knowledge and, practices and empower them to build up those who would evangelize and encourage teammates, direct reports, and peers.

It’s important to have champions at various levels within your organization to ensure that the support for your program is multi-directional. You may benefit from formally identifying these champions in internal communications to share with the wider team whom they can look to for support. When learners in your organization see executives and leaders champion training, they will realize how training is prioritized. Seeing managers champion learning and support their direct reports with check-ins, as well as allocating and enforcing training time, will help learners feel that their managers are walking the talk and respecting the importance of training to how they get their work done. Realize the value of people to the formula for successful security training!

B) Dispel Discouragement

Imagine the negativity that can be internal to a learner. Picture them spiraling because they are overwhelmed by the volume of what they think they need to know and because they feel like they don’t have enough time to learn it all before everything changes and they need to learn new standards, frameworks and, requirements.

Now, think about your development organization. Your developers are not security experts. They likely received very little formal security training, and they just want Application Security experts (if they have access to them) to tell them only what they need to know to be able to exit their builds and sprints, having fulfilled security requirements. On the flip side,  Application Security experts could probably appreciate having an extension of their team to stay on top of everything that’s changing as frameworks get updated, as relevant standards get established and as new ways to defend are discovered. How do you keep such stakeholders encouraged about their learning activities?

Dispel discouragement in your development organization. Get ahead of learner’s overwhelm. Show them that you, as the Learning Program Manager, will balance the information they need to know with the time they need to learn it, so they can still do their jobs well. Have clear objectives and curated learning paths, so that you can separate what is absolutely necessary from what is optional. This may even give your learners space to get excited about expanding their knowledge base beyond the minimum requirements. Encourage your learners by helping them stay motivated. Remind them they are going to only work on what’s absolutely necessary and they will have enough time and support to meet their security training objectives. Your training provider may even offer support activities that contribute to measurable and repeatable success with adoption, completions and engagement. Don’t forget to leverage them as a resource in preventing learner overwhelm with activities like curating learning paths, setting learning objectives, creating transparency and accountability with user reporting and learner reminders, just to name a few.

C) Enable Engagement

Let’s picture your team already being intrinsically motivated to learn. They understand that security is a priority for your organization and know how they must achieve secure software development by completing their training. You, however, shouldn’t underestimate the importance of appeal and incentive to successfully roll out your security training program.

Unblock apathy to training with techniques that enable engagement. Do external incentives appeal to your learners? Plan contests and rewards for learning achievements. You’ll encourage friendly competition, accountability for completing mandated learning objectives, and pride in their security training achievements. Establish processes to help you execute your training program and provide additional support for your learners.

Bottom Line

Be prepared for better security training program adoption. Plan for measurable success that will put your team on a better path for establishing secure development knowledge and delivering applications users will trust. Work your formula for success, have the right people in place + processes that work + the right technology and content for security training your team can use and apply for securing your software development lifecycle.

At Security Compass, we understand the importance of providing effective and efficient application security training solutions that can help organizations achieve their security objectives. If you are looking for comprehensive and customizable training programs for your team, visit our Application Security Training page and see how we can help you improve your security posture today. Take action now and invest in the future of your organization’s security!

Author Bio: ISABELA P. AUREUS

Isabela is a Product Marketing Manager at Security Compass, focused primarily on Application Security Training. Among the many hats she’s worn in her creative and strategic marketing tenure, Isabela has also written content about secure development training, retail customer engagement, customer experience, and loyalty marketing.

The post Balancing People, Process, and Technology: A Formula for Successful Application Security Training Rollout appeared first on Security Compass.

The second source of vulnerabilities is coding errors. Coding errors can result in vulnerabilities in the open-source components organizations use, of course. However, our focus today is on coding errors in the custom software written by internal development teams.

Coding errors occur when a developer is either unaware of secure coding best practices or forgets them due to pressure to deliver functionality. This is why security standards such as the Payment Card Industry Data Security Standard (PCI DSS) require organizations to train software development personnel on secure coding.

Traditional Training Isn’t Working

The idea is simple. Training developers on secure coding practices will reduce vulnerabilities. When done correctly, everyone wins. Developers improve their skills while eliminating unexpected security rework and customers gain confidence in their supply chain. In practice, many organizations miss the benefits by treating training as an event instead of a process.

The PCI requirement mandates training “at least once every 12 months.” This leads some organizations to require that developers complete a single online training course annually. While this meets the minimum PCI DSS requirement, it is ineffective. As we have previously written, without reinforcement, students forget 35 percent of a lesson on the first day and 75 percent in the first week! Early, repeated support – treating learning as a process – increases retention.

Wise development leaders recognize that limited training communicates to teams that professional development is not a priority. However, our 2022 DevSecOps Perspectives on eLearning found that the average amount of time spent annually on application security learning amounts to just two and a quarter (2.25) days per year. This is not a good retention strategy when 87 percent ofmillennials believe “professional or career growth and development opportunities” are important to them. Another found that “40 percent of employees who receive poor job training leave their positions within the first year.”

How Employees Want to Learn

Since a motivated student is a better student, our research on employee training focused on how employees want to learn. The 2022 Developer Perspectives on Application Security study found:

• Training should meet the developers where they work: 27 percent want training embedded in their tools, and 26 percent want firsthand examples and exercises. Only 5 percent preferred in-person lessons.
• Training should be on demand: Overall, only 16 percent of developers believed the best time to do training was “at a time designated by the organization.” 81 percent preferred “on-demand” training when starting a new task, encountering a coding problem, or addressing vulnerabilities.
• Training should be geared to the role: 72 percent want vendor or technology-specific training to help them perform their jobs. This also requires training that is contextual and relevant to specific tasks.
• Work/life balance is part of the equation: 68 percent of employees prefer to learn at work. A majority – 58 percent – prefer to learn at their own pace.

How Security Compass Helps

Security Compass takes a developer-centric approach to learning, combining our secure coding expertise and modern instructional design to deliver training to developers where they work and when they need it. We offer dozens of role-specific courses covering the entire SDLC  ranging from security basics to deep dive classes and learning paths for specific coding languages. On-demand, interactive training enables your team to access courses at any time and learn at their own pace.

Our Software Security Practitioner (SSP) Suites are pre-selected sets of courses for specific coding languages or specific roles within the development team and earn accreditation from the International Information System Security Certification Consortium ISC2. These courses enable developers to learn foundational elements of software security, language-specific secure coding skills, as well as security skills needed for other roles in the SDLC such as architect, QA, and project management.

Learner retention can be further enhanced by supplementing our on-demand courseware with SD Elements Just in Time Training (JITT). , SD Elements delivers relevant, bite-sized contextual learning directly to the Agile planning tools developers use.  Based on the threats and countermeasures surfaced by modeling an application in SD Elements, Just in Time Training (JITT) modules are delivered to developers through their existing workflow, along with code samples and how-tos relevant to the task at hand. Providing micromodules into the workflow boosts retention of the security concepts taught in on-demand courseware.

You can see more insights from our research on training by downloading our report here.

The post The Value of Contextual Learning for Developers appeared first on Security Compass.

With the widespread adoption of rapid development methodologies like DevOps, traditional threat modeling was difficult. Taking weeks of time senior development and security professionals was incompatible with a strategy of quickly responding to customer needs.

Recognizing the importance of threat modeling – particularly in a rapid development environment – in 2020 a group of 15 experienced threat modelers joined together to redefine threat modeling as core values and principles. The resulting Threat Modeling Manifesto acknowledges there is no single “best” threat modeling process. Instead, it distills the process to answering four key questions:

1.     What are we working on? Define the project, its components, and its environment.

2.     What can go wrong? Identify the threats to the project, including its deployment environment.

3.     What are we going to do about it? Define the threat countermeasures and security controls.

4.     Did we do a good enough job? Validate that the countermeasures are implemented properly, and work as designed.

Why you should care about Threat Modeling

Threat modeling allows teams to anticipate weaknesses in an application that an adversary could exploit and identify countermeasures and controls to mitigate those weaknesses. These countermeasures and controls become non-functional security requirements development and operations can implement alongside the functional product requirements. This proactive approach reduces the number of vulnerabilities that would otherwise be identified by security testing later in the development process (or completely overlooked!).

How to use the Threat Modeling Manifesto

The Manifesto is not prescriptive regarding how one should answer the four key questions. Rather, it relies on guiding values, principles, and beneficial patterns for performing threat modeling.

Meeting the values can require organizations to change the way they think about threat modeling. Successful programs are not rigid and fixed. Rather than meeting minimum compliance requirements, the first value recommends building “a culture of finding and fixing design issues.” Others recognize that successful threat modeling is a “journey of understanding,” and a need for “continuous refinement” of the process.

Principles are “fundamental truths of threat modeling.” These can help an organization determine “how” they will approach the task. Principles include using threat modeling early and frequently. Threat modeling must be an iterative process as a threat model for an application can quickly become out of date. The principles also recognize that threat modeling exercises will differ depending on the development practices of the organization or team and must be “scoped to manageable portions of the system.”

The Manifesto helpfully provides “patterns” that benefit or inhibit successful threat modeling. Beneficial patterns include taking a systematic approach. To be thorough and repeatable, threat modeling should be a structured process. While the process may change (continuous refinement) it is important to apply organizational knowledge consistently. A second beneficial pattern is to use “tools that allow you to increase your productivity, enhance your workflows, enable repeatability and provide measurability.”

The Manifesto’s “anti-patterns” call out behaviors to avoid. These include the “Hero Threat Modeler” where organizations assume that threat modeling must be confined a small group of people with unique skills. Threat modeling requires a diverse team that understands the strengths and weaknesses of programming languages, deployment environments, and internal capabilities. It also requires an understanding of applicable regulatory requirements. In short, “everyone can and should do it.”

How SD Elements helps

Adhering to the principles and beneficial patterns can be challenging when conducting manual threat modeling. Traditional threat modeling can be inconsistent. Output from manual threat models reflect the knowledge and biases of those participating in the exercise.  As team members change identified threats and controls will also change. Teams often maintain the threats and countermeasures identified in a manual threat model in a spreadsheet or shared document.  This provides poor evidence of compliance with corporate policies and regulatory standards.

Organizations require automation and a developer-centric approach to achieve scalable, consistent, and auditable threat modeling. Security resources are scarce across all organizations. The BSIMM 13 report published by Synopsys in 2022 surveyed the application security resources and processes at 130 enterprises. On average, it found 1 software security resource for every 122 developers and 43 applications.

SD Elements is a developer-centric threat modeling solution that helps organizations extend scarce security resources. It enables self-service threat modeling that identifies weaknesses and compliance requirements at the beginning of a project, then delivers consistent and approved developer-friendly secure coding best practices and countermeasures directly to developers, significantly reducing cyber risks. Developers can quickly update threat models as features and requirements change, without waiting for security resources.

The economic benefits of this approach are significant, increasing developer productivity and reducing security rework later in the development lifecycle. A study by Forrester Consulting found that using SD Elements produced benefits of increased productivity, reduced costs, and avoided vulnerability remediation totaling over $2.8 million and a 332 percent return on investment.

How to start threat modeling in your organization.

You can learn more about the different methodologies to threat modeling in our white paper: Threat Modeling: Finding the Best Approach for Your Organization.

The post Using the Threat Modeling Manifesto appeared first on Security Compass.