The Need For Tailored Secure Code Training - Aligning with NIST Cybersecurity and Privacy Learning Program

The National Institute of Standards and Technology (NIST) has recently published a Special Publication: 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This guide underscores the importance of tailoring security training to diverse audiences and leveraging innovative technologies to enhance their Cybersecurity and Privacy Learning Program (CPLP).

One of the cornerstone principles outlined by NIST is the customization of training programs to meet the unique needs of different audience groups within an organization. A uniform training approach may fall short in addressing the specific responsibilities and challenges faced by various roles.

NIST identifies two risk sectors that a CPLP should cover, putting emphasis on the Technical Risk that comes from poorly designed systems or applications. To address this risk, topic-based and role-based trainings are needed.

For developers, platform engineers and operations, specialised training is essential due to their direct involvement in creating and maintaining a full product (from coding to deployment). They need to be well-versed in secure coding practices to prevent vulnerabilities that could be exploited by attackers. Training should cover areas like secure design, defence in depth, OWASP Top 10 vulnerabilities, examples of real incidents, but also CI/CD security, infrastructure as code and Cloud security.

Section 3.1.2.2 of the NIST publication outlines the audiences to be trained by the CPLP. Besides new employees, that will require onboarding training, all the existing employees (including contractors, freelancers) that require the general workforce training all need to be addressed by the CPLP. Furthermore, NIST includes the need of specialised training for “Privileged access account holders” (Operations, SecOps. classic IT department) and “Staff with significant cybersecurity and/or privacy responsibilities”, including software developers.

Classic Training Methods Won’t Work

NIST highlights the importance of provide trainings and learning that is continuously updated and reflect the latest threat scenarios for the business. Traditional lecture-based training may not suffice in keeping learners engaged or in addressing the rapidly changing nature of cyber threats. That’s why SecDim and dcodx combine instructor-led trainings with the usage of SaaS platforms. This provides the flexibility and accessibility needed, allowing employees to engage with training materials at their own pace and on their preferred devices, while still being able to interact with professional trainers on a live setup.

As mentioned by NIST, there isn’t just one way of delivering a training. “Blending various training delivery techniques can be an effective way to present material and hold an audience’s attention”. SecDim, an in-repository secure code learning platform and dcodx, a specialised developer security training academy, offer an integrated solution to embed in your CPLP.

Attendees can practice with labs (Cyber range style) inspired by real incidents, create realistic patches, that satisfy automated security, unit and integration tests defined by cybersecurity experts.

Incorporating gamification elements, such as challenges, leaderboards, wargames and rewards, make training more engaging and motivating. Gamified learning experiences tap into natural human competitiveness and curiosity, encouraging learners to delve deeper into the material.

The Need for Developer-Centeric Secure Code Training

By integrating with code repositories like Git, SecDim provides immediate, contextual learning opportunities as developers write and review code. This seamless integration ensures that training is not a separate, disruptive activity but a natural part of the development process.

The platform delivers customised content that is relevant to the specific programming languages and frameworks used by the team.

Moreover, SecDim provides continuous feedback and progress tracking, enabling developers to keep track of their improvement over time. Managers can also gain insights into the team’s proficiency levels, helping to identify areas that may require additional focus or support as mentioned in section 2.4. Determining CPLP Measurements and Metrics.

Conclusion

Building a robust cybersecurity and privacy learning program is not just a regulatory requirement but a strategic necessity in today’s threat landscape. NIST provides different special publications to enhance the overall Cybersecurity and Privacy program through risk management frameworks focused on SSDLC ( NIST SP 800-47r2 ) and tailored learning ( NIST 800-50r1 )

Nowadays, developers , as the creators of complete products that underpin organisational operations, require specialised and practical training in secure coding practices. Platforms like SecDim offer a modern solution by integrating learning directly into the development workflow. dcodx help companies in multiple sectors shape their DevSecOps processes and deliver a compliant and secure product. This approach ensures that security is not an afterthought but an intrinsic part of the software development process.