Myth-busting Developer Security Training in 2019
Myths for Developer Security Training that I have learned through personal experience over a long span of training developers on security (2012-2019 and counting)
- Developers don't care about security. Untrue. Security doesn't contextualize security issues, attacks and consequences. Context is king.
- "We need OWASP Top 10 Training". OWASP Top 10 is the highlights package. OWASP ASVS and Cheatsheets are better
- "Our developers don't need hands-on training. They just need to understand security implementation". You said it. They need to understand. How do you expect that'll happen without them doing something?
- "Regardless of what we do in training. Developers make the same mistakes". How do you expect to do the same thing over and over again and expect different results? Don't you know what Rita Mae Brown said about doing the same thing over and over again, expecting different results?
- "Security training can be distilled to a simple set of DOs and DON'Ts." Teaching formulas that might be out-of-date tomorrow is pointless. We're always a formula away from a 0day. Teach principles and concepts. Thats more enduring.
- "Training should be based on PCI/HIPAA/<insert name here>". Learning should be based on things that you need. And things that you need, you can find, based on risks that you have. Bridge those deficits. Compliance is always a subset of that.