Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Provide role-specific, secure development training, including regular proficiency assessments and updates to training as needed. Define desired outcomes for each role, plan training accordingly, and measure effectiveness to continuously improve skillsets, ensuring personnel are equipped to support secure development practices.
Design and deliver customized security training tailored to the organization's roles and technologies, ensuring all software development personnel are equipped with the necessary skills to maintain secure development practices. Training should address the unique responsibilities and technical requirements of the roles such as "Product Managers: Focus on SAMM business functions, security practices, threat modeling, and defect tracking to align business processes with application security", "Developers: Emphasize secure coding standards, OWASP Top 10 vulnerabilities, and framework-specific weaknesses (e.g., mobile). Include remediation strategies to address common security issues effectively", "Testers: Provide training on testing tools, best practices, and techniques for identifying and documenting security defects", "Security Auditors: Focus on SDLC application security mechanisms and processes for submitting security defects for remediation", and "Security Champions: Include advanced training on threat modeling, secure design, and integrating security tools into development workflows". Training should include interactive demonstrations of vulnerability exploitation using weakened applications (e.g., WebGoat or Juice Shop), case studies of previous penetration test results, and strategies for implementing remediation. Involve subject-matter experts and penetration testers in developing and delivering content. All training programs should be mandatory for employees and contractors involved in software development and include measurable assessments to verify understanding. Update training annually to reflect changes in organizational practices, technologies, and emerging threats. Collect feedback from participants to continuously improve the training's relevance and effectiveness.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-05-01-01 | Identify role-specific training needs | Analyze the responsibilities of different roles (e.g., product managers, developers, testers, security auditors, and Security Champions) and define their specific security training needs. | Preparation | Security team, HR team, Development leads |
| SSS-02-01-05-01-02 | Develop and customize training content | Create or procure training content tailored to the technologies, frameworks, and security needs of each role. Include demonstrations of vulnerabilities (e.g., using WebGoat or Juice Shop) and remediation examples. | Development | Security team, Subject-matter experts (SMEs) |
| SSS-02-01-05-01-03 | Deliver interactive and mandatory training | Conduct instructor-led or computer-based training sessions. Include hands-on vulnerability exploitation exercises, real-world examples, and role-specific best practices. | Development | Security team, External trainers, Development teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PO.2.2) OWASP SAMM: Software Assurance Maturity Model (G-EG-2-A) |