Fork me on GitHub

Culture and Organization -> Education and Guidance: Regular security training for all

Risk and Opportunity

Risk: Understanding security is hard.
Opportunity: Provide security awareness training for all internal personnel involved in software development on a regular basis like twice in a year for 1-3 days.

Additional Information

Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option.

Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level.

Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization.

Source: OWASP SAMM 2

Implementation hints

Usefulness and Requirements of this Activity

Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: High
Required resources (systems): Low


ISO27001 2017