OWASP Security Culture
Use activities to build security skills and knowledge. Activities also help maintain enthusiasm and interest in security. This chapter will discuss different types of activities that can be used. Activities must be relevant and targeted to the particular developers and development teams.
Security teams can start by first understanding the developers' security knowledge and experience, and then teach the required security skills using appropriate engaging activities. Initially, a simple quiz asking developers for their familiarity with application security such as the OWASP Top Ten can be useful. The skills to focus on will draw from the maturity goals set.
Make Learning material relevant. Learning material should target the developers' relevant programming languages and platform. There may be some security aspects that are more applicable for a frontend developer compared to a backend developer. It is also important to know the individual's current skill level, to be able to provide learning material that is appropriate.
Provide learning material in different formats, as individual people learn in different ways. Some may prefer reading to videos. Learning material that includes interactive labs can be an engaging and interesting way to develop hands on application security skills.
The type of activities selected should also be targeted to the individual developers and development teams. Some may enjoy interactive hackathons and secure coding labs, while others may prefer audio and video shows.
Developers may find it hard to find somewhere to start learning security. Helping developers learn security need not be difficult and extensively time consuming. Short, practical, targeted learning activities can be a good way to build security knowledge. Starting with the OWASP Top Ten which addresses commonly found vulnerabilities, can be a good approach.
Application security conferences are a good way for developers to learn from security professionals. Presentations can include secure coding practices, new security vulnerabilities and new security tools.
Security interest groups
Local application security groups can provide regular meetings for developers to meet and learn from each other.
Audio and video security shows provide regular presentations on various aspects of application security. They may provide updates on security events or in depth analysis of a particular area of application security.
Security training courses and workshops
Security training may take the form of slides presented by a speaker or self directed learning modules. It is important that training is relevant and engaging to ensure uptake and deliver the security knowledge desired.
Secure coding labs and pen testing labs
Interactive labs are a good way to get developers to engage with security learning material. In a pen testing lab, a developer finds and exploits a vulnerability. Secure coding labs help developers learn secure coding techniques, how to avoid common security mistakes and remediate vulnerabilities. These are targeted to a particular programming language.
Intentionally vulnerable applications give developers hands-on experience in finding and exploiting vulnerabilities. Intentionally vulnerable applications are created for educational purposes to contain vulnerabilities that are often found in real world applications. Vulnerable applications can be used as part of a group training event or independent training.
- OWASP WebGoat (written in Java)
- OWASP Vulnerable Web Applications Directory
CTF (Capture the Flag) events
A CTF (Capture the Flag) event is a competitive security challenge. Individuals or teams compete in tasks such as finding vulnerabilities in an intentionally vulnerable application. The winner of the CTF event is the individual or team who has achieved the most points, as a result of finding or exploiting vulnerabilities.
A hackathon event can be used internally for an organisation to find vulnerabilities in their applications. Similar to a bug hunt, a hackathon event dedicates time for development team members to identify possible vulnerabilities that may exist in a system's architecture or deployed code. Hackathons can be a good opportunity to identify and address security debt that has built up that teams have not had time to address during their normal operations.
Build security knowledge in a development team in an engaging way using gamification. Developers can be awarded points or badges for completing security learning material or demonstrating security knowledge. This may provide an incentive to complete security training. Receiving a badge for an accomplishment helps mark an individual's progress in application security. A competitive points system and team leaderboard can also help to provide some motivation to engage with security learning activities.