Getting Developers Interested in Software Assurance Training
As the team progressed in studying cyber security and software assurance, the more it became clear that this was not only an ambitious undertaking but also an urgent need. While there is a vast amount of information out there, developers do not know where to look or even that they should be looking. The material came mostly in two varieties. Either at a general level with instructions such as “implement secure programming practices” with no details to help a developer get started or at too detailed a level for developers with no previous training or subject awareness to easily understand. The team spent a great deal of time collecting and digesting the volumes of information and training each other on information they found. The obvious next step was to create a “grass roots movement” in software assurance and secure coding. By presenting this information in an easy to understand manner, developers could immediately proceed to look for insecurities in their own code and fix them.
However, often when new rules or processes are added to our work, the initial and natural response is to resist and attempt to subvert the extra work, especially if it is not seen as adding value. Therefore, the software assurance training needed to create excitement and immediate interest. Thoughts of past government training in Information Assurance (IA) came to mind (“Bueller, Bueller…”). While IA should be performed during the development lifecycle, unfortunately, it became a checklist at the end of development and therefore not as effective. Software assurance activities need to be intimately integrated with software development in order to be part of the Navy’s solution against its cyber enemies. The plan was to create a set of classes, held over a couple of days with fun hands-on activities to relate the volume of information in an interesting and easy to understand manner while keeping the students awake and engaged. The week would be divided into three sections: Hacker 101, Secure Coding, and Software Assurance. The Hacker 101 “be a hacker” portion gained early interest and filled the seats to maximum capacity. Who doesn’t want to pretend to be a hacker, even if they aren’t really sure what that means? This portion would help the developers understand the hacker’s mindset, satisfying Sun Tzu’s concept of understanding your enemy. How can you truly create secure code if you don’t know how the hackers are attacking? After this class grabbed everyone’s attention, as well as concern about how to protect their software, the Secure Coding class would follow to begin teaching secure coding techniques, reinforced with more hands-on activities. Additionally, Software Assurance highlights would be presented before both Hacker 101 and Secure Coding to help introduce the topic as well as illustrate the connection between software assurance, cybersecurity and secure coding. Finally, the Software Assurance class would be presented in more depth to round out the week with new processes and testing tools the developers could adopt to help them code more securely.