Alleviating Modern-Day Developer Pressures: 3 Ways to Ensure Effective AppSec Training
April 19, 2021

James Brotsos
Checkmarx

As organizations rapidly accelerated digital transformation efforts due to COVID-19, software developers have had to endure the brunt of the increased workload. In fact, a recent Checkmarx study found that nearly half (46%) of developers said the rate at which they're expected to build and deploy software is somewhat or significantly faster now compared to before the pandemic, while another 36% admitted a top challenge weighing on their shoulders include keeping up with increased development speeds and demands.

While it may seem counterintuitive to add another component to developers' workloads, organizations can meet the needs of today's developers by prioritizing effective AppSec training. Developers themselves have expressed interest in increased training and resources amid the ongoing pandemic, with 36% asking for more AppSec training. This investment will not only reduce a company's risk from software vulnerabilities, but will also have a lasting impact on developers' efficiency and productivity, empowering them to operate more securely from the first line of code written.

But what exactly makes AppSec training effective, and how does this differ from the traditional types of educational resources developers are currently exposed to? Let's explore:

1. Just-in-time training to increase productivity

Let's face it — developers don't have the time (or patience) to sit in one-time, outdated training lessons, signaling the need for an alternative approach. We all know that an educated developer is a productive — and secure — developer. Security training that embeds lessons and modules directly into workstreams teaches developers how to write more secure code in real-time, learning as they go for maximum productivity and learning power. Training modules can help users understand how an application or portion of code might be exploited and how to prevent the issue from happening in the first place.

With integrated training, developers learn how to better understand and discover security vulnerabilities and weaknesses, and then proactively remediate them. In a recent case study where an organization implemented just-in-time developer training, the company saved each of its 1,000 developers two hours per week, translating to 104,000 hours and 1.7 million Euro annually through increased employee productivity. By cutting down on the hours spent towards archaic security training modules, developers are able to produce software faster and meet the pace of demand in a more secure manner.

2. Gamified education to prevent boredom (and burnout)

"Burnout” is a growing concern of business leaders across all industries and roles, but with the pressure that's now being put on developers to operate faster, they are specifically at-risk. Fortunately, increasing and promoting secure coding education can be an effective tactic against developer burnout — if implemented correctly.

A method widely adopted in the training and development world has been gamification due to its ability to engage and motivate participants. According to a recent survey, 83% of those who received gamified training felt motivated, while 61% of those who received non-gamified training felt bored and unproductive — both symptoms of burnout. Gamification can take many forms, such as tournaments, realistic role-plays or even personalized avatars. When combined, these tactics make for interactive, immersive training environments while simultaneously improving a developer's ability to code securely.

When developers are able to correct security concerns quickly (or better yet, not make the mistakes in the first place), they limit stress and feel empowered in the work they accomplish. Team empowerment can instill greater trust in leadership, further encourage employee motivation, lead to greater creativity and improve employee retention.

3. Incentivize training to cultivate a security culture

It is crucial that organizations establish a security culture that keeps pace with the rapidly evolving threat landscape. When training is paired with open communication, ongoing engagement and on-the-spot remediation support, security managers can cultivate a culture of software security that empowers developers to think and act securely in their day-to-day work.

A security culture can also be built when developers are rewarded for upskilling in critical areas. Instilling an ongoing leaderboard that tracks peers against each other and incentivizes winners with rewards (like gift cards or company recognition) will spur friendly competition and increased engagement amongst co-workers. The key is creating a system that is both engaging and motivational, while ultimately making everyone within the organization pay more attention to security, starting with developers in the trenches.

As application security continues to move under developers' ownership, with more than half (55%) of developers taking on more application security responsibility during COVID-19, organizations must meet them halfway. While business leaders can never exactly pinpoint the dollar amount that was saved by avoiding a breach, the benefits of effective training alone are priceless during a time when developers are on the front lines of innovation, helping advance today's accelerated digital transformation efforts that seemingly are here to stay.

James Brotsos is a Developer Advocate at Checkmarx
Share this

Industry News

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.

November 28, 2022

Simplilearn has acquired Fullstack Academy, for an all-cash transaction.

November 22, 2022

Red Hat introduced Red Hat Enterprise Linux 9.1and Red Hat Enterprise Linux 8.7.

November 22, 2022

Armory announced its new cloud-based solution called Continuous Deployment-as-a-Service, now available on the AWS Marketplace.