topic Security Awareness Training - On-Site and Program Development in Tech Talk

Security Awareness Training - On-Site and Program Development

bsilbiger — Mon, 09 Oct 2023 09:13:54 GMT

I know that this has been asked in various forms before, but not many answers were provided. We are looking for security and best practice computer based training specifically geared towards our development staff. I know about Wombat, KnowBe4 etc. but they want to charge us for all of our staff and not just our development staff. Any help would be appreciated.

Thanks

Barry Silbiger

Re: Security Awareness Training - On-Site and Program Development

dcontesti — Tue, 11 Jun 2019 15:54:15 GMT

So in one company that I worked at, we developed our own materials. Maybe not the same quality as Wombat or others but it worked.

Some sites offer free information that you can use:

https://www.owasp.org/index.php/Security_by_Design_Principles

https://resources.infosecinstitute.com/7-security-awareness-tips-for-developers-in-your-organization/

https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-fundamentals/top-20-security-awareness-tips-tricks/#gref

So downsides to this, like everything if a contractor says it, it's gospel, if you say it, it can be ignored.

Not sure the pricing model for this one but SANS has a decent program for developers:

https://www.sans.org/security-awareness-training/products/developer

Hope some of this helps

Diana

Re: Security Awareness Training - On-Site and Program Development

CraginS — Tue, 11 Jun 2019 19:14:09 GMT

@bsilbiger wrote:
I... I know about Wombat, KnowBe4 etc. but they want to charge us for all of our staff and not just our development staff.\

Barry, I realize there will be a cost differential, but think of the advantage of having the entire company understand your core business framework! Also, I expect you have support staff who would like to cross-train into developer roles. This initial awareness training is a nice entry point.

Finally, your entire company is subject to phishing, and many non-developers have access to parts of your program. ALL of the staff has access to the network that your developers use for general admin work. A breach of your general use network can most easily move into your development network by rather simple actions on the part of developers.

Therefore, please reconsider your plan to limit security awareness training only to the developers. You may be in a classic teeny wise, pound foolish decision cycle.

Good luck,

Re: Security Awareness Training - On-Site and Program Development

bsilbiger — Tue, 11 Jun 2019 19:30:30 GMT

We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc. We are looking for developer specific training to make our secure coding practices better. We are not being foolish we are trying to enhance what we already have in place for a practice that is integral to our company growth.

Re: Security Awareness Training - On-Site and Program Development

JoePete — Tue, 11 Jun 2019 21:50:49 GMT

@bsilbiger wrote:
We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc. We are looking for developer specific training to make our secure coding practices better.

I think this is a common refrain. The security awareness products out there - even the quality ones - are too generic. Something is needed between them and, say, having an entire department go through a certification test/process. The challenge for a training provider is that it takes a lot of work (i.e. money) to build such a course but there isn't a guarantee of a demand for it outside a specific client. From the company standpoint, they don't want to spend too much money. You'd think there is a market, but the reality is the subject matter may be too much of a niche. It's a bit like building an electric pick-up truck (all deference to Tesla). There's a need, but maybe not a market.

Re: Security Awareness Training - On-Site and Program Development

JoePete — Tue, 11 Jun 2019 21:51:51 GMT

@bsilbiger wrote:
We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc. We are looking for developer specific training to make our secure coding practices better.

Re: Security Awareness Training - On-Site and Program Development

CraginS — Tue, 18 Jun 2019 17:05:18 GMT

@bsilbiger wrote:
We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc. We are looking for developer specific training to make our secure coding practices better. We are not being foolish we are trying to enhance what we already have in place for a practice that is integral to our company growth.

AH, Barry, I was misled by use of the term "Security Awareness Training." That term normally refers to the general e-mail, password, and phishing protection training you describe for your general employees.

I think what you are looking for is not Awareness Training, but rather Secure Development Training.

How about putting all of your developers through training leading to the Certified Secure Software Lifecycle Professional (CSSLP), and give a bonus to those who actually achieve the certification?