“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs”, Howard Schmidt, executive director of SAFECode, the non-profit Software Assurance Forum for Excellence in Code, told his audience at the Security Development Conference in San Francisco, May 14 2013.
“While not a replacement for formal security engineering education at the college and university level, nor a one-sized fits all curriculum, SAFECode hopes that this new program is a step forward in addressing that knowledge gap and promoting the broad application of secure development practices.”
The courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. The program aims to help address gaps in security engineering knowledge among the entire software engineering ecosystem, which has been a key challenge facing organizations working to improve software security. SAFECode research has determined that internally developed security engineering training should be directed at everyone in the software development cycle, including product managers, project managers, architects/designers, developers and testers.
“Ensuring that everyone touching the product development lifecycle has the knowledge they need to support an organization’s software security process is a fundamental challenge for any organization committed to software security success,” said Schmidt.
The goal is to remove the pain that organizations face in developing a custom program of their own in the face of resource constraints and knowledge vacuums.
“While SAFECode’s analysis has shown that security training is most effective when aligned to an organization’s unique culture and security development process, we recognize that not every organization has the resources required to develop custom training,” Schmidt said. “By providing free training courses in a modular fashion, we hope other organizations can pick and choose the ones most relevant to their needs to either supplement an existing program or build the foundation for a new one.”
The initial set of courses covers introductory-level topics and are based on training materials donated to SAFECode by Adobe after successful use in its software security program. A team of technical contributors from the SAFECode member companies reviewed and supplemented the course materials to ensure broad applicability across diverse development environments.
SAFECode intends to add additional courses and resources to the site, including training program implementation advice based on the real-world experiences of SAFECode members, with the goal of creating an accessible and practical industry resource to support and promote software security training. Additional courses are already in the review process, the group said.