Provide security training
You must ensure that anyone in the organization who makes decisions that impact security of applications understands the implications of that those decisions. This makes security part of almost everyone’s job in the development life cycle including users, developers, product line managers, testers, and more. Each of these roles must have education on security risks and their role in keeping the applications safe via formal training, on-demand training, simulation exercises, threat modeling, mentoring/advisors, security champions, purple team activities, podcasts, videos, or any other learning methods.
Since engineers building systems are not usually security experts, training in both the technical and conceptual aspects of threat modeling is necessary for them to become effective at it so they can build systems that are Secure by Design. This is also vital for the threat modeling process to work at-scale in organizations where developers far outnumber security professionals. Threat modeling must be thought of as a fundamental engineering skill in which all engineers must have at least basic proficiency. Therefore, engineering teams must be trained to be competent at threat modeling as part of onboarding and with periodic refreshers.
Ultimately, each role needs to understand why it’s important to address security risks, what they need to do for security in their role, and how to do those things. We have learned that people who understand the attacker’s perspective, their goals, and how that shows up in real world security incidents will quickly become security allies instead of trying to avoid security.
Security is an infinite game where the threats, technology, and business assets to protect are always changing and the attackers never give up so the security training approach should also be ongoing and continuously evolve. Effective training complements and re-enforce security policies, SDL practices, standards, and requirements of software security, and be guided by insights derived through data or newly available technical capabilities.
Although security is everyone’s job, it’s important to remember that not everyone needs to be a security expert nor strive to become a proficient penetration tester. However, ensuring everyone understands security basics and how to apply them to their role of building security into software and services is essential (including in the safe use of their computers and their identities and logon accounts).
In particular, developers and the Since engineers building systems are not usually security experts, so training in both the technical and conceptual aspects of threat modeling is necessary for them to become effective at it so they can build systems that are Secure by Design. This is also vital for the threat modeling process to work at-scale in organizations where developers far outnumber security professionals. Threat modeling must be thought of as a fundamental engineering skill in which all developers and engineers must have at least basic proficiency. Therefore, development and engineering teams must be trained to be competent at threat modeling as part of onboarding and with periodic refreshers.
- Microsoft Learn: Introduction to GitHub Advanced Security
- GitHub: GHAS Developer Training
- Microsoft Learn: Configure SIEM security operations using Microsoft Sentinel
- Microsoft Learn: Microsoft Certified: Azure Security Engineer Associate
- Microsoft Learn: Microsoft Certified: Identity and Access Administrator Associate
- Microsoft Learn: Microsoft Certified: Security, Compliance, and Identity Fundamentals
- Microsoft Learn: Secure Azure services and workloads with Microsoft Defender for Cloud regulatory compliance controls
- GitHub: Microsoft Defender for Cloud Labs