5 Ways to Train Security Champions in Cross-Functional DevOps Teams - Part 1
August 28, 2019

Ed Adams
Security Innovation

As organizations seek to better embed security into DevOps and Agile software development, they're going to need to find better ways of scaling security knowledge across cross-functional teams.

Gone are the days where the security team can hold all the relevant knowledge for an IT organization and personally enact all the security checks on software code or infrastructure hosting applications. There are too many new applications and features being deployed, too much infrastructure spun up and down daily.

Everyone needs to chip in, and the only way they can do that is if companies properly train members of cross-functional teams on what it means to deploy secure software.

Cross-functional DevOps teams — and even non-DevOps teams moving toward continuous delivery of software — need all their members to skill up with both generalized and specific security training. From developers to DevOps engineers to site reliability specialists to database professionals, everyone needs to understand how security considerations impact the risk of the overall IT ecosystem they operate within, and how these security concerns should shape the work they do day in and out.

Here are five ways to accomplish that:

1. Raise the Bar on Security Awareness Across the Team

The goal for modern security training in the DevOps era should be two-fold. First, organizations should seek to generally elevate security awareness across all IT functions.

Second, they should seek to train an elite cadre of security champions with deeper levels of security knowledge who work in various capacities for the team.

The first objective of awareness isn't to make everyone deep security experts, but instead to raise the overall bar for awareness about security from anyone that touches the continuous delivery/continuous integration (CI/CD) software pipeline. This includes developers, but also QA engineers, operations professionals, DBAs and more.

The second objective recognizes that in a DevOps environment that deputizes technologists of all types to execute on security strategy, there are going to be times where the organization risks watering down deep technical security competence in the trenches. Seeding teams with at least a handful of security champions with deeper levels of security knowledge, as it applies to their specialty, ensures that things don't get overlooked.

DevOps depends on an increased collaboration between IT roles and self-service. The challenge is: as roles start to bleed into one another through deeper collaboration, individuals start to need a wider breadth of knowledge than ever before about how their actions impact the organization's threat posture. Take developers, for example: so much of application security (APPSEC) training today is focused solely on secure coding techniques, without accounting for the reality that developers today are spinning up servers, containers and otherwise self-provisioning the infrastructure their software is running on.

Even when developers take the best secure coding training available, they may be missing a whole lot of knowledge about the dangers of security misconfiguration when they're setting up their infrastructure.

There should be a core set of common knowledge that everyone needs to know about security principles: things like regulatory concerns, infrastructure issues, commonly used tools, and so on.

This would give your architects, developers, database administrators, and anyone else in the CI/CD world a common foundation of awareness. In this scenario, ideally they would all be asking themselves, “Is this the most secure way to do this task?”

At the same time, security champions who are more interested in the technical details of these issues should also have the opportunity to extend their learning path beyond the basics so they can bring greater technical knowledge to bear and act as a security resource for the rest of their team. Identifying and grooming these champions will ensure that the team has not only breadth but depth of knowledge as well.

2. Balance Traditional Training with Hands-On Learning Methods

Traditional training is still the best starting point for disseminating security knowledge across teams. Continuing professional education (CPE) classes and overviews are all relevant and help build a foundation of introductory awareness. They're not always the most exciting method of learning, but they are incredibly effective when paired with more advanced training.

At the same time, that traditional classroom training is more likely to stick with employees when supplemented with additional hands-on reinforcement. Security leaders hoping to build out security knowledge across the DevOps contingent should start exploring the benefits of gamification and simulation and how they can improve performance on the job.

Developers, IT operators, and architects are much more likely to appreciate the nuances of security risks when their book knowledge is paired with hands-on training in simulated environments, or some kind of area where they can appreciate what they're defending against. Rather than just saying, "Academically, here's what SQL injection is, here's how to defensively code against it," it's better to allow security champions to exploit those issues so they really understand them from all angles.

Read 5 Ways to Train Security Champions in Cross-Functional DevOps Teams - Part 2

Ed Adams is President and CEO of Security Innovation
Share this

Industry News

March 28, 2024

Check Point® Software Technologies Ltd. announced a collaboration with Microsoft that utilizes the Microsoft Azure OpenAI Service to enhance Check Point Infinity AI Copilot, marking a significant advancement in cyber security AI applications.

March 28, 2024

ArmorCode announced ArmorCode Risk Prioritization, providing a 3D scoring approach for managing application security risks.

March 28, 2024

AppViewX and Fortanix announced a partnership to offer cloud-delivered secure digital identity management and code signing.

March 27, 2024

WaveMaker has updated its platform in response to customer demand for more sophisticated API and code management tools.

March 27, 2024

Vercara announced the launch of UltraAPI™, a product suite that protects APIs and web applications from malicious bots and fraudulent activity while ensuring regulatory compliance.

March 27, 2024

Legit Security announced the launch of its standalone enterprise secrets scanning product, which can detect, remediate, and prevent secrets exposure across the software development pipeline.

March 26, 2024

Progress announced a strategic partnership with Veeam® Software, the #1 leader by market share in Data Protection and Ransomware Recovery, to provide customers with an enterprise-ready cyber defense solution that strengthens the security of their business-critical data.

March 26, 2024

GitGuardian released its Software Composition Analysis (SCA) module.

March 26, 2024

DataStax announced a milestone in its journey to simplify enterprise retrieval-augmented generation (RAG) for developers by integrating with Microsoft Semantic Kernel.

March 25, 2024

Check Point® Software Technologies Ltd. is collaborating with NVIDIA to enhance the security of AI cloud infrastructure. Integrating NVIDIA BlueField DPUs, which feature a broad range of purpose-built, innovative security capabilities, the new Check Point AI Cloud Protect solution will help prevent threats at both the network and host levels.

March 25, 2024

Sentry announced the release of Autofix, an AI-powered feature to debug and fix code in minutes, saving important time and resources.

March 25, 2024

Apiiro announced a product integration and partnership with Secure Code Warrior, the agile developer security training platform, to extend its ASPM technology and processes to the people layer.

March 21, 2024

Progress announced that Progress® Semaphore™, its metadata management and semantic AI platform, was named a Champion in SoftwareReviews’ 2024 Metadata Management Emotional Footprint Awards.

March 21, 2024

The Cloud Native Computing Foundation® (CNCF®) has partnered with Udemy, an online skills marketplace and learning platform.

March 21, 2024

GitLab has acquired Oxeye, the provider of a cloud-native application security and risk management solution.