There are many training options available in the application security realm. The right choice for your organization depends on where you are in the application security journey, specific training goals, and of course both your time and financial budgets. It seems that most 3rd party training is heavily discounted, so the direct financial cost per learner can vary quite a lot. At any rate, a proper accounting of staff time will likely show that this time commitment is your largest cost.
Training Formats
On-line static training
This training walks the learner through the material and often provides quiz questions to reinforce the learning experience. The training is generally available with a subscription model. The most comprehensive catalogs are from vendors such as Synopsys and Veracode who specialize in application security. The comprehensive security catalogs are a great place to start for new programs, but a careful review will show some topics of interest under-represented.
There are also on-line security training options from broader training platforms such as O’Reilly and Udemy who vet and resell 3’rd party training. If your corporation has deployed a commercial LMS (Learning Management Systems) you may find you can add security courses to your existing platform.
On-line lab-based training
This exciting approach to training has been become more economical with the wide-spread availability of cloud computing. With this model the learner is provided with a personal set of VM’s configured with specific tools and applications. It is essentially an extension of on-line static training and is appropriate for some domains and less so for others. Both the cost and the learner time commitment will be higher than with the static training. Like the static training, it is generally available on a subscription basis.
Instructor-led Training
This training format may make sense for in-depth coverage of certain topics such as penetration testing or cryptography. It may also make sense for organizations that are looking to jump aggressively into application security and get over the training hump just as soon as possible.
Self-directed training
There is a tremendous amount of application security material available directly on the Internet, in text books, and in periodicals.
The Training Program
The training program should consider the following:
- Selection of specific training. Most likely from one or more commercial vendors.
- What staff functions are trained? Almost for certain you will want to training “development staff,” but you should also consider other roles such as quality assurance, product marketing, documentation, and management.
- Is the training mandatory? External stakeholders are likely to want to hear this. This in turn raises questions about whether the training is tied into HR systems and processes.
- Will you promote optional training?
- How is the training managed on subsequent years? The challenge is to refresh learners without forcing them through exactly the same material.
- How is the training integrated into new-hire process?
Vendor Selection
You will need to consider the following:
- Quality of course material. This can be time consuming to assess. You will want to consider presentation style, sound quality, language accents, etc.
- Coverage. If you have a lot of C++ developers and the course catalog does not address Secure Coding in C++, you might have the wrong vendor.
- Cost.
- Up to Date? For example, does an OWASP course relate to the most recent version of OWASP or to an earlier version? What is the vendor’s promise for course maintenance?
- Technical Integration. For example is there Single Sign-on integration with your IT systems? Are there export/import mechanisms for provisioning and reporting?
- World-wide support? If you are using Vendor’s platform, does it work well everywhere you have staff?
In-House Material
As your application security program matures you will develop a body of proprietary information that you will want to share with the staff:
- Process and Policies
- Technical Recommendations. For example “use this specific input sanitization library.”
- Experience. For example relating details of actual exploits against your product or demands of specific customers and prospects.
You will likely use this material to augment other training.