Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

Developers are, in effect, the only people in any organization who can fix vulnerabilities hidden in their applications. Nevertheless, in most cases they do not undergo the training to be able to find and fix vulnerabilities, and put applications to production, without even the most common security holes.

Developers are asked a lot

Why is the security training of software developers lagging behind it’s goals? Most common reasons for this are:

  • Content of the training is tooo long (and boring)
  • The content is not relevant in relation to the organization’s tech stack
  • The approach to learning is wrong and does not engage or inspire the learners enough
Veracode Security Labs - training module introduction to bash terminal
Veracode Security Labs - training module introduction to bash terminal

Infosec standards like it

Standards, certifications, and regulations set their demands on continuous security training.

ISO27001

The world’s leading security standard ISO/IEC 27001 requires software and systems development practices formulated and applied to all software development activities in the organization. The policies should cover all key issues of secure application development for all programming languages used by the organization, fundamentals of application security, and create and strengthen developers’ abilities to avoid, discover, and fix vulnerabilities in applications.

OWASP SAMM

OWASP SAMM is a community driven maturity model based on self-assessment that seeks to raise awareness and train organizations on how to design, develop, and deploy secure software. SAMM’s Education & Guidance practices address security education on three maturity levels:

On level 1, security training is provided to all personnel groups, in particular to those who are in some way involved with secure software development processes. The goal is to increase awareness of security threats and risks to applications, learn about best practices and the principles of secure software design. OWASP Top 10 vulnerabilities should be covered at a general level.

Level 2 offers more tailored training, according to various roles. The training should be related to the technologies and techniques used in the company, starting from the core of the development team. Content is adapted for product managers, software developers, testers, and security auditors based on the technical needs of each group.

On level 3, the goal is to develop internal training programs.

Veracode Security Labs - user management
Veracode Security Labs - user management

Veracode Labs goes straight to the point

Veracode Security Labs helps meet the requirements of security standards while providing a meaningful way for the entire development team to learn more. Browser-based exercises allow students to start gaining skills in 5-10 minutes, utilizing and correcting authentic code.

“Interactive” training solutions typically simulate a web application instead of using real code. Disadvantage of this approach is that even if a developer passively looks at code snippets, he or she might never actually touch the keyboard. Without hands-on training, the situation often is that no actual learning has taken place, because participants merely click on different multiple-choice answers until the lesson is over.

Shift left!

Security Labs shifts application security to the left, preparing and strengthening developers’ capabilities to respond to modern threats by leveraging and fixing real code, and applying DevSecOps principles to deliver protected code in a timely manner.

Through hands-on exercises, developers learn skills and strategies that are directly applicable to the code generated by the organization. Detailed progress reporting and a scoreboard encourage developers to continually hone their coding skills.

Veracode Security Labs - Choose lab topic
Veracode Security Labs - Choose lab topic

Create more secure software

Typically, there is only one security professional with expertise per one hundred application developers. As developers’ skills are updated by training to correct gaps and code correctly, your organization’s “AppSec” becomes more scalable. Veracode Security Labs offers the ability to create custom labs specifically to your organization’s tech stack and business goals.
Veracode Security Labs - Assign content through campaigns
Veracode Security Labs - Assign content through campaigns

More information

  • Watch a demo here: https://share.vidyard.com/watch/eiL5tYWaUQVB55x3debySD?
  • Read more from Veracode: https://www.veracode.com/products/security-labs

If you want a hands-on livedemo, contact us. We can share test accounts or setup a demo-environment if needed. 

Veracode feature picture

Veracode

SAST – Static Application Security Testing SCA – Software Composition Analysis SDLC Integration VERACODE delivers the application security solutions Veracode’s unified platform assesses and improves

Lue lisää »
Veracode Security Labs - user management
Veracode
Saku Tuominen

Veracode Security Labs

Developers are, in effect, the only people in any organization who can fix vulnerabilities hidden in their applications. Veracode Security Labs helps meet the requirements of security standards while providing a meaningful way for the entire development team to learn more.

Lue lisää »
Veracode and Travis CI
Veracode
Teemu Turpeinen

Integrating Travis CI with Veracode

This blog post will show you how to integrate Travis CI and Veracode. Travis is a cloud based continuous integration (ci) service, that can be used to automate tests and builds for software projects hosted in GitHub.

Lue lisää »
Verified by Veracode
sdlc
Thomas

Verified by Veracode

Prove your company’s secure software development practices with Veracode Verified. Implementing this program helps you make security part of your competitive advantage, easily defend your AppSec budget, and better integrate security with development.

Lue lisää »
Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

contact us

Please do contact us. We most likely respond faster than you thought,