APPL-11

Have your developers been trained in secure coding techniques?

Explanation

This question is asking whether your organization has provided formal training to your software developers on secure coding practices. Secure coding techniques are programming practices that help prevent security vulnerabilities in software applications. Why it's asked in security assessments: 1. Preventing vulnerabilities: Many security breaches occur due to software vulnerabilities that could have been prevented with proper coding practices. 2. Risk assessment: Organizations with trained developers present lower security risks. 3. Compliance requirements: Many regulatory frameworks require developer security training. 4. Proactive security: It's more cost-effective to build security in from the start than to fix vulnerabilities later. The question aims to determine if your organization has a formal process for ensuring developers understand common security vulnerabilities (like SQL injection, cross-site scripting, etc.) and know how to code defensively against them. To best answer this question: - Be specific about what training programs are in place - Mention the frequency of training (initial onboarding, annual refreshers, etc.) - Include any certifications or standards the training aligns with (OWASP, SANS, etc.) - Describe how you verify the effectiveness of the training - If applicable, mention how training is tailored to your specific technology stack

Example Responses

Example Response 1

Yes, all developers undergo mandatory secure coding training New hires complete OWASP Top 10 and secure coding fundamentals training during onboarding All developers receive quarterly security updates and annual refresher courses tailored to our technology stack (Java, Python, and Node.js) We partner with SecureCode Academy for our training program, which includes hands-on labs and assessments Developers must pass practical coding exercises that demonstrate their ability to identify and fix common vulnerabilities Additionally, 30% of our development team holds GIAC Secure Software Programmer certifications, and we conduct internal security champions program where advanced security concepts are shared across teams.

Example Response 2

Yes, our secure coding training program consists of multiple components All developers complete mandatory security training during onboarding that covers OWASP Top 10, secure coding principles, and our internal secure development lifecycle We conduct monthly security brown bag sessions where recent vulnerabilities and mitigation techniques are discussed Our security team also provides specialized workshops twice a year focusing on secure coding in our primary languages (C#, JavaScript) Additionally, we use an automated learning platform that assigns developers micro-learning modules based on security issues identified in their code during reviews Training effectiveness is measured through pre/post assessments and tracking security defects in code over time.

Example Response 3

No, we currently do not have a formal secure coding training program in place Our developers primarily learn security best practices through peer code reviews and occasional security bulletins shared by our IT team While we recognize the importance of secure coding techniques, we have prioritized feature development and have relied on our QA and security testing processes to catch vulnerabilities before production We are currently evaluating several secure coding training options and plan to implement a formal program in the next quarter, which will include OWASP Top 10 training and language-specific security courses for our development team.

Context

Tab: Infrastructure
Category: Application/Service Security