On-board AppSec as if they were Development

I posted a Twitter poll a couple weeks ago asking the following, “If you currently work or have worked in an Application Security role, how involved were you with a usual developer's new hire on-boarding and training? Or were you not included in developer on-boarding and training since you are/were in a Security role?” After twelve respondents, these were the results:

• Full Dev Onboarding: 33%

• Partial Dev Onboarding: 16.7

• No Dev Onboarding: 50%

Although the number of respondents are low, it tells me that 66.7% of AppSec people do not get the same training as developers. This resonated with me because in multiple jobs I was not trained along-side other developers as a new hire or when major changes were upcoming.

What is developer on-boarding?

In general when new developer hires come into an organization, they are asked to participate in a training or “boot camp” to get familiarized with how the development organization functions. They are presented with all the available tools, languages, the pipeline, network architecture, and informed of policies and procedures. This is fantastic for setting a baseline for development to all be on the same page, however not all engineers get to participate that should.

My experience

At a former position the organization made a massive switch over to the cloud, and just beforehand they held massive developer training sessions on how to use all the new tools. Of course, yours truly was not invited to any of it. So when the time came to perform security reviews for these new cloud based applications, I had to constantly play catch-up and look like I didn’t know what I was talking about. It’s embarrassing and stymies Application Security’s ability to thoroughly and quickly review new apps.

At my next organization developer training was not initially offered to me, so I still spent months trying to learn all about the corporate infrastructure from my colleagues and hunting down people with the help of my manager to understand more about the tech organization. Granted the company is quite large and there are many facets of tech, so it’s hard to nail down exactly what types of training I should be attending as an AppSec Engineer.

Why include AppSec in Dev training?

What AppSec people realize that the greater technology engineering space may not, AppSec personnel require the same knowledge and capabilities as the development staff to be the most efficient. AppSec people need to understand what is being used and why, including code languages, frameworks used, code and artifact repositories, build and deployment systems, and production architecture. Otherwise AppSec will always be behind the curve when all of these things eventually change and upgrade.

I personally have spent quite a bit of time self-teaching everything that is required to fully understand an application I am reviewing due to lack of initial developer training. This is generally not efficient and a waste of time and money.

Advantages

The time investment return of including AppSec in Dev training is high with very little cost. Since every developer goes through these training sessions, either live or recorded, adding a few additional students is very low cost. And also considering that there are upwards of one-hundred developers in an organization to one AppSec person, the cost is justified.

Now when security reviews are conducted by Application Security they require less ramp up time to fully understand the technology decisions that were made by the engineering team. This also has compelling returns for employees by showing that management cares about their time and education and are more likely to stay at an organization for longer.

Armed with this new knowledge, AppSec can also help identify issues with CI/CD platforms that are notoriously insecure, help define new secure defaults, and even remove redundant security checks to improve performance.

Hurdles

Of course, there are numerous hurdles an organization can face for this. In smaller tech organizations, perhaps less than 1000 people, it’s easier to have a single overall training that all developers need to take that an AppSec hire could also join in. In much larger tech org, you now face the problem with silos. In larger tech organizations, it will get to a point where silos begin to form and each silo may have their own training that gives all the necessary information that that tech silo requires. But since those tech silos are not hiring their own AppSec people, it’s pretty much guaranteed that they will not be involved with that training.

This is unfortunately a symptom of the greater problem mentioned above which is both the lack of qualified AppSec people and the lack of hiring enough AppSec people. When there is as little as one AppSec person per one-hundred developers, serious bottlenecks could occur. Secondly, when silos form in the greater tech organization, only those direct team hires will receive their training. AppSec people must perform security reviews for the entire tech organization, so they need to basically know a moderate amount about everything in the tech organization where a developer may only need very deep knowledge of their respective space.

Conclusion

I hope for a bright future where we can just trust all developers to always make the correct decisions when developing any kind of software, but that is only in a perfect world. There will always be a need for impartial, code security knowledgeable people to arbitrate the developer organization and hold people accountable. However these AppSec people need to have a similar caliber of knowledge as development. And when a tech organization gets so large silos begin to form, this further impacts the problem.

If your tech organization is hiring Application Security people, please make sure they get the same on-boarding treatment as others in development. If the tech organization is quite large, have the Information Security team develop a ‘need to know’ list or guide that is constantly updated so that new AppSec hires can perform a self-guided training for themselves to fully understand the tech organization.

You wouldn’t want to hire a new developer and not get them up-to-speed with how the tech organization works and why it does what it does. Please don’t do this to the people who need to be its security arm.

About the Author

Aaron is an Application Security Engineer with over 10 years of experience. His unorthodox career path has led to many unique insights in the security industry.