Posts tagged "SAFEcode Security Training Program"

Training Secure Software Engineers, Part 3: Tips on creating your own training

This is the third and final post in our series on the Adobe Software Security Engineering Team’s (ASSET) Software Security Certification Program, which formed the basis for the newly released SAFEcode Software Security Training. In the Overview post, I talked about the overall program, in the second post, I talked about the logistics of creating your own training program and using metrics to track your progress. In this post, I’ll provide some tips for creating your own software security certification program or supplementing the SAFEcode Software Security Training with your own training.

While we were in the process of creating the ASSET certification program, there was a lot of trial-and-error learning that took place. Here are some of our lessons learned so if you’re building your own training, you can skip the growing pains we experienced:

  • Know your audience and tailor content to their needs. People will become frustrated if they cannot connect what they are learning to what they need for their job. It’s like the age old question, “Why do I have to learn algebra if I’m never going to use it?” I’m not going to explain that one, but I do not want to address my deadline crunched Java developer with the specific reasons of how a course called “How to Write More Secure C/C++” is going to alleviate a worse situation down the road.
    • We began with a more liberal arts approach to security and have since shifted to a more proscriptive approach over time.
    • Also, we now have different tracks for different roles at Adobe. There’s a manager’s track, a Dev track and a QA track.
  • Get executive buy-in. You can market a training program within a company until you die and get no traction unless somebody with power and influence throws their weight behind it. People want to know that the investment they make with their time will be recognized and valued by someone. What does it matter if I have a fancy badge if nobody cares what it means? Get executives to talk about, email about and even mandate trainings.
  • Use crises to push your agenda. In order to get executives to pony up, you need to demonstrate the value of your offering. The most effective way to do this is to leverage a crisis. Use vulnerabilities that are painful or embarrassing to remind execs that proactive security work pays off; use the training to show them you have a solution. A developer who knows secure coding will be more efficient at hardening code.
  • Use metrics to encourage participation, stimulate competition and show progress. We use our training metrics tracking tool (TESSA) to allow everyone to see who is and isn’t trained. Training metrics consistently show that teams with higher training density perform better on quantified metrics like incident response time. Making metrics public, within the company, sparks competition among teams and individuals. Employees have tied achievement of certification belts to goals for their annual reviews.
  • Refresh content on a regular basis. As we all know, the threat landscape continues to change. The Web hacking techniques from 2013 are different than the ones the Web hacking techniques for 2012. Developers continue to use new languages, open source components and new tools in their jobs. For this reason, it’s important to revisit your security training content on at least an annual basis and update anything that’s out of date.

Real Results
We believe the evidence proves our security training program is working. The first two levels of the certification program are now required of every developer and tester on every product team, as part of the Secure Product Lifecycle (SPLC) at Adobe. In 2008, security wasn’t a regular topic on executive roadmaps, today the highest levels of management at Adobe review the “Security Health” dashboard for each major product and service on a regular basis.

The Intangibles
Although there is an initial investment associated with creating your own training, it’s a great way to brand your security team(s) throughout the company and get the word out.

The training program has allowed the ASSET team to transition from “giving a man a fish” by repeatedly teaching primary security concepts, to raising security awareness among the development teams and “teaching a man to fish” by scaling and creating embedded security leaders (brown and black belts) to lead the security charge within development teams.

The impact of the ASSET certification program can’t be overstated. Creating a training and certification program at Adobe catalyzed a cultural shift and ultimately built a foundation for the company to innovate and improve the security of all its products.

We began with approximately 25 original course offerings, and have since doubled that number. We continue to revise and add courses to our curriculum and build on the security culture at Adobe. If you’re interested in talking about security training and our certification program, let’s catch up at the next conference.

Josh Kebbel-Wyen
Sr. Program Manager

Training Secure Software Engineers

SAFECode today announced the release of a software security training program. This is an exciting new resource, not just for anyone interested in learning more about writing secure code in the real world, but for software security leaders responsible for integrating security into how the development organization builds code. SAFECode’s ambition is that this training resource will provide building blocks for folks to develop a successful customized training program for their environment. I encourage you to check out the training and I also want to provide some context about how this SAFECode release came to be.

When I first joined Adobe, nearly five years ago, my top priority was raising the security IQ across the various roles responsible for getting code out the door: from people who write and test code to the many flavors of managers (product, program, people) and everyone in between. After looking at a lot of options, we built the ASSET Software Security Certification Program and have seen thousands of Adobe employees certified every year, since the launch in early 2009.

I have received many inquiries about sharing our course materials. Rather than publishing one-off drops of the Adobe training content, we instead worked with the other SAFECode members to use our courses as the seed for the software security training site launched today. With the pooled resources of all the SAFECode contributors and a place to focus the broader community of software security champions on training, we aim to have the biggest impact.

Please stay tuned as Josh Kebbel-Wyen, Senior Security Program Manager for ASSET (Adobe Secure Software Engineering Team) publishes a series of blog posts describing the ASSET certification program at Adobe. He will offer insights into how the program helped us establish a security culture at Adobe and share tips and tricks based on lessons learned along the way.


Brad Arkin
Chief Security Officer