Many regulatory frameworks require developers to be educated about security. The most recent version of the PCI DSS standard, for example, which was last updated in May 2018, mentions the words “train” or “training” 38 times.
But the question for businesses is: how do you actually train developers to write and deploy secure code? That’s a trickier quandary, because regulatory frameworks are not always explicit about what kind of training businesses should be providing to their coders.
At the same time, it’s important to devise training programs for developers that can address a variety of regulatory requirements. You don’t want to have to provide separate training for each regulatory law or industry standard that affects your business.
With these needs in mind, here’s a look at how businesses can approach developer education in the context of meeting compliance of regulatory requirements.
What Are the Security Education Requirements of Regulations?
The requirements regarding developer education or training within regulatory frameworks or industry standards vary widely. So does the extent to which the frameworks offer guidance for what that training may entail.
The PCI DSS standard is probably the most fully developed framework in this respect. As noted above, it refers to developer training dozens of times. It also provides specific guidance on resources that businesses can use to train their developers by referring them to organizations such as OWASP and NIST.
The GDPR occupies a middle ground. It occasionally mentions things like “data protection training” for personnel who have access to sensitive data, but it does not raise the issue as often as PCI DSS. It also is not specific about what this training looks like in practice. HIPAA is similar. It establishes mandates such as creating a “security awareness and training program,” but leaves it up to businesses to determine how to do that.
And then there are regulatory frameworks like the California Privacy Rights Act of 2020, which doesn’t mention training at all.
Thus, the extent to which your business must implement developer education as a specific compliance requirement, and the way you go about implementing it, depends on which frameworks impact your business.
But even if you are not subject to a regulatory law or industry standard that explicitly mandates training, educating developers about secure coding practices and tools is an important step toward meeting the other security requirements that regulatory frameworks define. Developer training, in other words, shouldn’t be treated as an option as long as it isn’t strictly required. It should be a standard part of all corporate compliance strategies, even if regulatory frameworks don’t specifically mandate it.
Developing Security Training for Developers
How do you actually implement a security training program for developers that addresses regulatory requirements? Again, if the regulatory rules that you must meet include specific guidance, start there. But in general, no matter which frameworks you are dealing with, the following are some best practices for devising effective developer security training.
Understand Sensitive Data
For starters, you should educate your developers about the differences between sensitive and non-sensitive data.
The way that regulatory frameworks define sensitive data varies somewhat from one framework to the next, of course. But in general, sensitive data is any data that could be associated with an individual, even indirectly.
The CPRA of 2020 includes perhaps the most expansive definition of sensitive data (which it refers to as personally identifiable information) to appear to date. If you’re unsure how to define sensitive data for your business’s regulatory needs, consider using the CPRA’s definitions. They may be overly expansive in the context of other frameworks that don’t take such broad views of what counts as sensitive information. But it’s better to teach your developers to err on the side of caution by protecting too much data than to let sensitive information slip through the cracks.
Understand Data Management and Flow
Once developers can define sensitive data, they can design applications and architectures that mitigate the risk of the unauthorized exposure of that data.
To help them in this task, their training should provide an understanding of how data moves within applications and within infrastructures. They should also understand how to apply authentication tools like cloud IAM frameworks to applications and data, as well as how to build their own protections if they are not available from the application hosting environment.
Understand Third-Party Dependencies
For many developer teams, the greatest risk to sensitive information comes not from code written by the team itself, but from upstream code borrowed from open source projects. Train your developers to understand the risks associated with reusing open source code and educate them about strategies for mitigating those risks, such as only using code from a trusted source and being sure to analyze source code for potential vulnerabilities.
Understand Coding Best Practices
Finally, developers should be trained to follow best practices for writing secure code themselves. Although these practices can vary somewhat between different programming languages, and also across different types of application deployment environments and architectures, resources like the OWASP Secure Coding Practices-Quick Reference Guide and the SEI CERT coding standards are good starting-points that can be applied to any development practice.
Developer education related to security may seem optional unless it is specifically required by a regulatory framework that affects your business. But whether or not it’s an explicit requirement, it’s almost always an implied requirement. Without teaching developers how to write secure code, find vulnerabilities in code, protect data, and identify sensitive information, your business will struggle to meet the regulatory requirements of any and all frameworks to which it is subject. Adding an AppSec awareness and training program specifically targeting developers’ secure coding, vulnerability identification, and risk remediation skills goes a long way towards meeting any application security compliance requirements.
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.
To learn more about The Modern Approach to Developer AppSec Awareness and Training, The complete guide to secure coding education, by Checkmarx, you can download your copy here.