The client is one of the world’s largest investment banks with application development teams located globally.
Client Requirement and Business Drivers
The main driver for the requirement for training of the software development community was the recognition that:
- It is a fact that the majority of security vulnerabilities are found in the application layer
- Despite many initiatives regarding security, and regular, comprehensive testing of systems, security issues at the application level were still a primary area of concern and frequently the reason for re-work on projects and the cause of security incidents
- Timescales on most application development projects were critical to meeting business requirements
- There is always a delicate balance between functional requirements, business needs, and security risk
- Developers are usually focused on ensuring that business functional requirements are delivered within the timescales set down by the business
- In this environment, it was frequently too easy to overlook critical flaws in design or not follow best practice development methodology
The bank therefore implemented an initiative to focus on reducing security vulnerabilities early in the software development lifecycle; a critical element of this was training for the large development community around the world. The first step was to establish a common level of awareness of application security issues and how to address them.
It was decided to engage with Commissum as an independent, expert to propose a “quick fix” solution to spreading awareness with minimal disruption to the day to day operational activities of the developers. The solution agreed with the bank was a small bespoke e-learning package (a training “nugget”) based on the OWASP top 10 security vulnerabilities
The bank decided that for reasons of expediency, and simplicity of implementation, the e-learning would be delivered through a small, bespoke Flash module developed by Commissum – a training “nugget” that would form part of the longer term initiative to raise awareness and implement training. This module would be distributed globally, throughout the enterprise; the mini training “nugget” was made mandatory for all development team members.
The features provided by the training “nugget” included:
- As a stand alone Flash based module it was very cost effective to implement and simple to distribute
- It highlighted the typical issues and vulnerabilities that are found in most web based applications – essentially based on the OWASP top 10 with some tailoring for the bank specific issues
- Using simple graphical animation and interaction, the training nugget demonstrated:
- What the vulnerabilities are
- How the vulnerabilities manifest themselves and result in security issues
- How developers can avoid these issues
- The training “nugget” included a simple method of tracking successful completion through multiple choice questions
- The trainees were required to complete the course and print a completion certificate generated by the system as proof of completion
As a first element of the banks global training initiative this was a great success. The engaging, self paced training “nugget” had a strong, immediate take-up in the development community, with strong satisfaction levels recorded by the trainees. The interest created by the initiative had a very positive effect on the security awareness of the community, and created a very positive attitude with respect to the more detailed training initiatives that followed