cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bsilbiger
Newcomer I

Security Awareness Training - On-Site and Program Development

I know that this has been asked in various forms before, but not many answers were provided.   We are looking for security and best practice computer based training specifically geared towards our development staff.  I know about Wombat, KnowBe4 etc. but they want to charge us for all of our staff and not just our development staff.   Any help would be appreciated.

 

Thanks

 

Barry Silbiger

6 Replies
dcontesti
Community Champion

So in one company that I worked at, we developed our own materials.  Maybe not the same quality as Wombat or others but it worked.

 

Some sites offer free information that you can use:

 

https://www.owasp.org/index.php/Security_by_Design_Principles

 

https://resources.infosecinstitute.com/7-security-awareness-tips-for-developers-in-your-organization...

 

https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-fund...

 

So downsides to this, like everything if a contractor says it, it's gospel, if you say it, it can be ignored.

 

Not sure the pricing model for this one but SANS has a decent program for developers:

 

https://www.sans.org/security-awareness-training/products/developer

 

Hope some of this helps

 

Diana

 

 

 

CraginS
Defender I


@bsilbiger wrote:

I...  I know about Wombat, KnowBe4 etc. but they want to charge us for all of our staff and not just our development staff.\

 


Barry, I realize there will be a cost differential, but think of the advantage of having the entire company understand your core business framework! Also, I expect you have support staff who would like to cross-train into developer roles. This initial awareness training is a nice entry point. 

 

Finally, your entire company is subject to phishing, and many non-developers have access to parts of your program. ALL of the staff has access to the network that your developers use for general admin work. A breach of your general use network can most easily move into your development network by rather simple actions on the part of developers.

 

Therefore, please reconsider your plan to limit security awareness training only to the developers. You may be in a classic teeny wise, pound foolish decision cycle.

 

Good luck,

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
bsilbiger
Newcomer I

We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc.  We are looking for developer specific training to make our secure coding practices better.  We are not being foolish we are trying to enhance what we already have in place for a practice that is integral to our company growth.

JoePete
Advocate I


@bsilbiger wrote:

We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc.  We are looking for developer specific training to make our secure coding practices better.


I think this is a common refrain. The security awareness products out there - even the quality ones - are too generic. Something is needed between them and, say, having an entire department go through a certification test/process. The challenge for a training provider is that it takes a lot of work (i.e. money) to build such a course but there isn't a guarantee of a demand for it outside a specific client. From the company standpoint, they don't want to spend too much money. You'd think there is a market, but the reality is the subject matter may be too much of a niche. It's a bit like building an electric pick-up truck (all deference to Tesla). There's a need, but maybe not a market.

JoePete
Advocate I


@bsilbiger wrote:

We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc.  We are looking for developer specific training to make our secure coding practices better.


I think this is a common refrain. The security awareness products out there - even the quality ones - are too generic. Something is needed between them and, say, having an entire department go through a certification test/process. The challenge for a training provider is that it takes a lot of work (i.e. money) to build such a course but there isn't a guarantee of a demand for it outside a specific client. From the company standpoint, they don't want to spend too much money. You'd think there is a market, but the reality is the subject matter may be too much of a niche. It's a bit like building an electric pick-up truck (all deference to Tesla). There's a need, but maybe not a market.

CraginS
Defender I


@bsilbiger wrote:

We already have an overall security awareness training that covers Phishing, social engineering, best practices for end users etc.  We are looking for developer specific training to make our secure coding practices better.  We are not being foolish we are trying to enhance what we already have in place for a practice that is integral to our company growth.


AH, Barry, I was misled by use of the term "Security Awareness Training." That term normally refers to the general e-mail, password, and phishing protection training you describe for your general employees.

 

I think what you are looking for is not Awareness Training, but rather Secure Development Training.

 

How about putting all of your developers through training leading to the Certified Secure Software Lifecycle Professional (CSSLP), and give a bonus to those who actually achieve the certification?

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts