Training Tips for Secure DevOps

Maria Loughlin

As VP of Engineering, Maria manages the development teams for Veracode’s cloud-based platform and Web Application Security products. She is known for her high energy, optimism, and pragmatism, and can always be counted upon to call out the elephant in the room.

Lay a Broad Foundation.

In a DevOps environment, software developers must be proactive about building security into their applications. Conventionally, developers receive very little education or training in application security. So, your organization needs to provide devs with a firm grounding in key security concepts like authentication, authorization, data protection and session management. In addition devs need to be aware of best practices for embedding security in their SDLC and automating in their CI/CD pipeline.

Focus on What’s Most Relevant.

Once a working knowledge of the basics has been achieved, developers should take a deep dive into aspects of application security that are most relevant to their work. Therefore, your next round of training sessions should be assigned according to role and should focus on the specific technologies devs will need in order to integrate security into their daily work.

Keep Learning on the Job.

Security is a never-ending process and new threats emerge all the time. Furthermore, studies show that most people almost immediately forget much of what they learn in training. Therefore, your developers’ newfound security expertise should be kept front-of-mind and up-to-date with regular secure code reviews, feedback, mentoring and learning. Integration and automation of security processes—design, development, analysis, response—in the standard workflows ensures that security remains top of mind.

By Maria Loughlin | 23 May 2018