Governance: Training (T)

The overall goals for the Training practice are the creation of a knowledgeable workforce and correcting errors in processes. The workforce must have role-based knowledge that specifically includes the skills required to adequately perform their SSDL activities. Training must include specific information on root causes of errors discovered in process activities and outputs.

GOVERNANCE: TRAINING
	Objective	Activity	Level
T1.1	promote culture of security throughout the organization	provide awareness training	1
T1.2	ensure new hires enhance culture	include security resources in onboarding
T1.3	act as informal resource to leverage teachable moments	establish SSG office hours
T1.4	create social network tied into dev	identify satellite during training
T2.1	build capabilities beyond awareness	offer role-specific advanced curriculum (tools, technology stacks, bug parade)	2
T2.2	see yourself in the problem	create/use material specific to company history
T2.3	keep staff up-to-date and address turnover	require annual refresher
T2.4	reduce impact on training targets and delivery staff	offer on-demand individual training
T2.5	educate/strengthen social network	hold satellite training/events
T3.1	align security culture with career path	reward progression through curriculum (certification or HR)	3
T3.2	spread security culture to providers	provide training for vendors or outsource workers
T3.3	market security culture as differentiator	host external software security events

one

T Level 1: Create the software security satellite. The SSG must build interest in software security throughout the organization and must actively cultivate advocates. The SSG and managers must ensure that new hires are exposed to the corporate security culture during onboard activities and that awareness training is provided on an ongoing basis. The SSG must be available, at least periodically, for those seeking software security guidance.

T1.1

Provide awareness training. The SSG provides awareness training in order to promote a culture of security throughout the organization. Training might be delivered by members of the SSG, by an outside firm, by the internal training organization, or through a computer-based training system. Course content is not necessarily tailored for a specific audience. For example, all programmers, quality assurance engineers, and project managers could attend the same Introduction to Software Security course.

T1.2

Include security resources in onboarding. The process for bringing new hires into the engineering organization includes a module on software security. The generic new hire process covers things like picking a good password and making sure people don't tail you into the building, but this is enhanced further to cover topics such as secure coding, the SSDL, and internal security resources. The objective is to ensure that new hires enhance the security culture.

T1.3

Establish SSG office hours. The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member.

T1.4

Identify satellite through training. The satellite begins as a collection of people scattered across the organization who show an above-average level of security interest or skill. Identifying this group is a step towards creating a social network that speeds the adoption of security into software development. One way to begin is to track the people who stand out during introductory training courses. (See [SM2.3] Create or grow social network/satellite system.)

two

T Level 2: Make customized, role-based training available on demand. The SSG must provide role-specific training material that includes lessons from actual internal events. Managers must ensure that all staff members receive this training at least annually, preferably through computer-based training. The SSG must continue to build its satellite through social activities, including training and related events.

T2.1

Offer role-specific advanced curriculum (tools, technology stacks, bug parade). Software security training goes beyond building awareness and enables trainees to incorporate security practices into their work. The training is tailored to the role of trainees; trainees get information on the tools, technology stacks, or kinds of bugs that are most relevant to them. An organization might offer three tracks for engineers: one for Java developers, one for .NET. developers, and a third for testers.

T2.2

Create/use material specific to company history. In order to make a strong and lasting change in behavior, training includes material specific to the company's history. When participants can see themselves in the problem, they are more likely to understand how the material is relevant to their work and to know when and how to apply what they have learned. One way to do this is to use noteworthy attacks on the company as examples in the training curriculum.

T2.3

Require annual refresher. Everyone involved in making software is required to take an annual software security refresher course. The refresher keeps the staff up-to-date on security and ensures the organization doesn't lose focus due to turnover. The SSG might use half a day to give an update on the security landscape and explain changes to policies and standards.

T2.4

Offer on-demand individual training. The organization lowers the burden on trainees and reduces the cost of delivering training by offering on-demand training for individuals. Computer-based training is the most obvious choice.

T2.5

Hold satellite training/events. The SSG strengthens its social network by holding special events for the satellite. The satellite learns about advanced topics or hears from guest speakers. Offering pizza and beer doesn't hurt.

three

T Level 3: Provide recognition for skills and career path progression. Also build morale. Management and the SSG must ensure that all staff members receive appropriate recognition for advancement through the training curriculum. Managers, application owners, and the SSG must provide training to vendors and out-source workers as a method of spreading the security culture. Managers and the SSG must continue to bolster satellite momentum by marketing the security culture externally.

T3.1

Reward progression through curriculum (certification or HR). Knowledge is its own reward, but progression through the security curriculum brings other benefits too. Developers and testers see a career advantage in learning about security. The reward system can be formal and lead to a certification or official mark in the HR system, or it can be less formal and make use of motivators such as praise letters for the satellite written just before annual review time.

T3.2

Provide training for vendors or outsource workers. The organization offers security training for vendors and outsource providers. Spending time and effort helping suppliers get security right is easier than trying to figure out what they screwed up later on. In the best case, outsourced workers receive the same training given to employees.

T3.3

Host external software security events. The organization markets its security culture as a differentiator by hosting external security events. Microsoft's BlueHat is such an event. Employees benefit from hearing outside perspective. The organization as a whole benefits from putting its security cred on display. (See [SM3.2] Run external marketing program.)