Why Agile Learning is Vital for Secure Software Development
Posted: Tuesday, Feb 27

i 3 Table of Contents

Why Agile Learning is Vital for Secure Software Development

With recent increases in cyberattacks showing no sign of abating, the role software developers need to play to improve levels of protection is becoming more widely understood.

Encouragingly, industry research[1] shows nearly four in five developers believe that either they themselves are responsible for their code’s security or that every member of their team should be held accountable. The research also found 75% say they want to be trained in how to be more effective at generating secure code.

Concerningly, 86% of developers surveyed admit they currently struggle to practice secure coding. In many cases, this is because the training they have been receiving is no longer suited to their requirements.

Often, traditional training is used which relies on outdated teaching methods. These are neither engaging, up to date, or relevant to current developer roles and skill levels.


The Rise of Agile Learning

For this reason, the strategy of agile learning has emerged as a critical training methodology for high-impact upskilling of software development teams. Using this approach, instructors can accommodate various skill levels while tying lessons to real-life scenarios.

Agile training sessions are built around just-in-time ‘microburst’ teaching scenarios. This means development teams can learn, test, and apply knowledge quickly and within the context of their work, in addition to addressing their current security challenges.

The approach replaces the more standard ‘check-the-box’ training often used where participants grind their way through online text, illustrations and videos. Through agile learning, organisations can transform development teams that currently have only basic code defence awareness and skills into security-skilled advocates for code quality and resilience.

Development teams that practice security as a foundational part of code development will grow confident in their own ability to write code that is safe while also reducing their software release timelines. As a result of staying up to date on new threats and mitigation techniques, these newly trained teams will also be able to eliminate bottlenecks that result from the need for product rework and remediation due to software vulnerabilities.

For an organisation to enable its development teams to reach this advanced state of security awareness, a number of best practices are required. They include:


Customise Learning to The Specific Needs of The Developers

Carefully tailored lessons are vital because different security skills are essential to address different security requirements. Also, most current training offerings do not consider how businesses evolve over time.

These offerings also often don’t cater for global scaling or regional or vertical-centric compliance requirements. Unfortunately, they often also fail to gather feedback from participants to aid in the development of future training materials. To remove such weaknesses, organisations should seek out practitioners and platforms that leverage agile learning techniques.


Align Training With Current Workflows

Unfortunately, development teams often view training sessions as a distraction from day-to-day routines and workloads. Indeed, any training that interrupts their task completion – and/or cannot deliver the right education at the right time in an easy-to-understand format – is unlikely to result in developers gaining actionable security expertise.

Agile learning techniques allow developers to readily integrate lessons into their work day for purposeful educational opportunities, thus building security from the start while using the familiar coding tools they work with every day.


Regularly update content

Instructors and their platforms should continually update teaching materials to include details of the latest cybersecurity breaches, vulnerabilities, and compliance standards. It’s important to steer away from more traditional approaches that are static and disengaging.


Supporting Developers

It’s encouraging to see that so many software developers want to take accountability for security in their products. For this reason, their organisations must commit to training utilising content that is closely connected to what they do on a day-to-day basis.

This can be achieved with an agile learning strategy. Participants will thrive by solving their actual problems. This, in turn, will ensure greater information retention and engagement.

Just as cybercriminals are constantly changing their tactics and approaches, so organisations must adapt the type of training being given to developers when it comes to security. The result will be more resilient code and a significant reduction in vulnerabilities.


[1] https://www.securecodewarrior.com/cp/the-state-of-developer-security-skills-2022

Matias Madou
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realised that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Share This