Today has been a really exciting day for SAFECode. I am writing from our table at the Security Development Conference, a great event focused on implementing the latest in security development techniques and processes. Howard had the honor of helping kick off the conference with one of the morning keynotes, and discussed the important role software security plays in our broader efforts to secure the IT ecosystem. In addition, many of the SAFECode members are here participating in the event on behalf of their companies, and it has provided a great venue for some face-to-face collaboration.
But what has been most rewarding for me is having so many of us here together to mark an important milestone for the organization: the launch of our free security engineering training program. Security Engineering Training by SAFECode is an online community resource offering free software security training courses delivered via on-demand webcasts. Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. All courses are free and published under a Creative Commons license and open, non-commercial usage of the content is encouraged.
While the courses will be helpful for individuals looking to improve their skills, SAFECode’s primary focus is on assisting product security managers in finding materials useful for developing and supporting an in-house training program. We recommend that product security managers use the training materials in the context of a broader software security process. To help, SAFECode frequently publishes guidance to support the development and maturation of such a process, including its flagship work, Fundamental Practices for Secure Software Development. It has also published a framework for setting up a corporate security engineering training program.
Today’s announcement is just the beginning. SAFECode will be adding new courses to the site on an ongoing basis to create a diverse catalog of security engineering training courses for all expertise levels as a community resource.
The collective experience of SAFECode’s member companies has shown that software security is most successful when it is treated as a process that reflects an individual company’s culture and unique development needs. Supporting this process through software security training is essential. In fact, the lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs.
Though our analysis has shown that security training is most effective when aligned to an organization’s unique culture and security development process, we recognize that not every organization has the resources required to develop custom training. We hope that this program can help other organizations overcome this obstacle and provide them with the tools they need to create a training program that works for their environment.