The board of SAFECode, an industry leading non-profit forum to exchange software security information formed in 2007, is comprised of individuals responsible for product security and assurance.
David Lenoe, director of secure software engineering at Adobe, board member at SAFECode, said, “We wanted a vehicle to disseminate this information to the community and show our customers what we are doing and communicate with policy makers.”
Together the board members have created its Security Engineering Training by SAFECode program offering self-paced training delivered as on demand webcasts, designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills.
SAFECode intends to add courses and resources to the site, including training program implementation advice based on the real-world experiences of SAFECode members, with the goal of addressing the gaps in security engineering knowledge among the software engineering workforce.
“Training has always been a part of the security best practices that we advocate,” said Lenoe. Prior to it being SAFECode training, Adobe was looking around at what trainings were available in the market. “One of our researchers had the bright idea that we could do this better than anybody else. We wanted to communicate to development community,” Lenoe continued, but establishing the best practices for reaching that goal took some trial and error.
Initially, the group tried doing in-person trainings. “While it’s great to communicate face-to-face, it doesn’t scale well,” Lenoe said. “In order to cover a breadth of topics, you need a fair amount of time. We had to fight to carve out time for trainings, which is always difficult.”
Eventually they found that computer-based training scales better. “It is available in bite-sized chunks of 15 to 60 minutes per module on one topic. Someone could go through the training over lunch or while their code was compiling because it is self-paced,” said Lenoe.
The trainings range from some basics, including cross site scripting or injections 101, up to more advanced sessions.
“We plan to organized these trainings in a martial arts belt style system,” explained Lenoe. Modeled after Adobe's training system, SAFECode Forum will soon offer their learners the ability to earn a series of belts beginning with a white belt working up the scale as they would in martial arts.
The trainings are built out with PPT deck, and a security researcher does a voice over. They are all recorded in a video format. “We found that it really appealed to developers to pursue a belt color. If you are aiming security training at a technical audience, it appeals to their geekiness,” said Lenoe.
In 2013, after talking to compatriots at SAFECode, they hired a production company who hired voice over actors, and they released the first set of trainings.
For those who are new to security, these opportunities for free learning are advantageous for honing expanding your current skillset. “You can review yourself, you can register and download and plug them into your learning management system. If you want to up-level further, we have an associate membership that gives you access to the original content which might be more customized for your environment,” said Lenoe.
A good starting point for those who are new to security would be the newest training released in October: Introduction to Crytography. “The course covers some topics that might suddenly click for you,” said Lenoe. “like the differences between hashing and encrypting and what algorithm you might want to use for a given situation. If you find that is interesting, you can move on to some of the other 101 topics.”
For security teams wondering how they can benefit from using the adobe certification program internally, Lenoe said, “One thing it helped us to do was identify people who were interested in security. They were about to earn a white belt first, then proceeded to get green belts.”
Whether it is the guy on the acrobat engineering team or the senior engineer who has an interest in security, offering these training courses surfaced unknown interest and allowed for training and growth from within.
“One of the lesson we have learned,” said Lenoe, “is that it is important to be able to scale your security program. You can’t rely just on a central security team. You need to bring other folks into the fold and scale that security evangelism. We also got a lot of value out of covering a broad array of topics and some level of depth”.
This article is published as part of the IDG Contributor Network. Want to Join?