Explore the effectiveness of AppSec training for developers in this 33-minute OWASP Foundation conference talk. Dive into the results of a yearlong survey of nearly 1,000 software developers, assessing their application security knowledge before and after formal training. Examine the survey methodology, which includes developers from various backgrounds and industries, and discover the surprising findings from a "retest" of a subset of respondents. Learn about the gap between security awareness and prescriptive knowledge, the impact of sample fatigue, and unexpected results from technology companies. Gain insights into how developers learn, the importance of asynchronous learning, and the role of incentives in security training. Understand the implications of these findings for application risk managers and those relying on training as part of their application security strategy.
Can AppSec Training Really Make Developers Security-Smart?
Overview
Syllabus
Introduction
Denim Group
Bruce Schneier
AppSec vs Developer Training
Training is one of those sacred cows
Background on the project
Lack of workforce analytics
Research
Have You Had Any Training
How We Did It
Three Big hypotheses
Sample questions
prescriptive questions
results
gap between awareness and prescriptive
sample fatigue
weird results
technology companies
no prior secure coding
How Developers Learn
Asynchronous Learning
Dont Ignore the Basics
Incentives Matter
Conclusions
Whats next
Taught by
OWASP Foundation
Related Courses
-
Can AppSec Training Really Make a Smarter Developer?
-
Application Security Training Impact on Developer Code Vulnerability
-
AppSec Training Program Fine-Tuning Based on Survey Data - OWASP AppSecUSA 2014
-
AppSec Champions Programs - Best Practices and Survey Results
-
Data-Driven AppSec Champions Programs - Benchmarking Your Program with Numbers
-
Building an AppSec Program from Scratch
