Arjuna Shunn here to talk with you about the importance and value of software security training when implementing the Microsoft SDL.
Product and application development too often only focuses on finding security issues late in the development lifecycle, long after developers have completed features and code. Delaying focus on security results in both significant cost and a less effective software security posture. While security testing and analysis post-development are components of the SDL, the best returns on investment – and the focus of the SDL – are much earlier in the development lifecycle. One of the earliest, and often most effective components of a secure development program is effective training for product and application development staff, so they better understand the risks they can introduce into software before any code is written and indeed before any architecture is designed. To that end, we are releasing guidance to assist you with the adoption of critical training for creating more secure software.
In recent months, there have been several instances within private and public sectors where software security training for engineers has been recommended as a key method to help solve current software security problems. To assist you with developing training capabilities which will ease your deployment and accelerate your implementation of the SDL, we are releasing a whitepaper entitled Essential Software Security Training for the Microsoft SDL.
The expected audiences for this paper are technical decision-makers, compliance managers, software developers, and systems integrators who are working within or on behalf of organizations that are looking to implement the Microsoft SDL as part of their development lifecycle. The paper is broken into easy-to-digest sections that we hope are both readable and practical:
1. Overviews of Software Security Training: purpose, goals, and characteristics
2. A description of the Microsoft SDL core training courses,
3. Descriptions of advanced training content and topics
While training regimens differ based on organization specific needs, we hope this paper will provide a viable framework for understanding your needs as a development organization and help you to create and maintain an effective software security training capability.
As always, we welcome your questions and feedback in comments, mail, and our forums.