Hi dear colleagues,
I have been requested to set up a Security Awareness program within our company, so I am creating content based on our defined target groups. One of the identified target groups are 'developers'.
I am working to create a Security Awareness module: Secure Software Development. I have some topics already, such as the OWASP top 10, SDLC, Source code review and Checking in/out of source code from configuration management systems.
Not trying to make the training too technical, I would be quite interested in existing training materials and other topics to add within the scope of Secure Software Development.
Presentation and distribution form have not been established yet, but I am eager to find some relevant content.
Looking forward to your repsonses!
Hi, infoSec/developer here.
Try to check the CSSLP CKB for some topics that are good to cover. OWASP TOP10 is good to know about, but are a necessary basic.
One thing you should keep in mind is what kind of developers are going to be targeted. For web applications you are gonna need some basic security awareness such as HTTPS/HTTP, identity management checks, OWASP, principles of least privilege including in-app and resource-based approach (such as maintaining separate DB users with only as much privileges as needed, making sure only publicaly accesible resources are available from the public networks, etc...)
For desktop app developers, covering application security, and application certifications is a must. Code signing, memory handling, code obfuscation… None of those are necessary too technical topics unless you go into implementation, but all are crucial to securing the software they develop.
Common topics will include the "Secure-by-design" principle, and similar principles included in the CSSLP. Some cryptography and personal data privacy 101 MIGHT be needed, if your software contains as much as user's personal info, but the developers mostly don't need - or even appreciate - being dragged too deep into this pond.
Of course, depending on your scenario, not all of those might be relevant, but I think I covered most of what is important.
Best regards,
Frankie