What Should a Secure Code Training Plan Include?

By Andrew Kulpa on March 22, 2022
Modified on March 22, 2022

Overview

Secure Code Training is a common practice in organizations with engineers. This may be done on an annual or more frequent basis to regulatory or compliance reasons. From my experience, Secure Code Training should touch on the following:

  1. What is Secure Code Training?
  2. What are the goals of the training?
  3. Why is Secure Code Training important?
  4. How do you complete the Secure Code Training?

Each of these topics will be touched on below! In short, we’ll be discussing the what, the why, and the how of Secure Code Training.

What is Secure Code Training?

You first should establish for the trainee what secure code training is. Many organizations have different definitions of this, but to put it simply Secure Code Training is training that helps engineers write more secure code and identify vulnerabilities in existing code.

What are the goals of the training?

Once you’ve established what it is you should then define the goals of the training. It helps to identify personal and organizational objectives. For example:

  • Personal: Improve awareness of major vulnerabilities and learn secure coding practices in order to prevent them.
  • Organizational: Minimize attack vectors by producing more secure code and reducing vulnerabilities that may result in security incidents in applications.

Why is Secure Code Training important?

Because the Information Security Policy says so…” may be a good reason for a client or auditor, but to an Engineer it’s pretty terrible. You should define why you are conducting the training beyond just explaining what it is.

For my teams I have given a multitude of reasons including:

  • Secure code training reduces future vulnerabilities.
  • This training helps the engineer be a bigger part of the solution and take responsibility for securing their code.
  • The further along in the Software Development Lifecycle a vulnerability is recognized the more it costs to fix.

How do you complete the Secure Code Training?

Now that you’ve explaing the what and why of Secure Code Training you should provide engineers with how they will complete said training. Here are some tips for how to do this:

  • Start with best practices.
  • Focus on both offensive and defensive methods.
  • Provide a self-paced method that works for a variety of teams.
    • Some may prefer to ‘burst’ through the process while others might complete the training in ‘bite-sized’ increments.
  • Add a hands-on component

Summary

Aaaand that’s it! Kind of. When you are first drafting the training make sure you obtain feedback early and often. It never hurts to start with a simple high-level training plan and socialize it.

Back to blog