Improving Application Security Education Through Community
At this year’s Black Hat USA, Fletcher Heisler (Founder, Hunter2) and I had the pleasure of sharing our perspectives on application security education in a talk titled, “Shifting Knowledge Left: Keeping up with Modern Application Security.” In our presentation, we discussed where current software security education approaches were limited in their effectiveness, stifling change from occurring in application security. We highlighted that the industry’s focus on the OWASP Top 10 has led to blind spots in engineer training, especially when compared to current data released by HackerOne that only shows a 40% overlap in real-world bugs classes abused.
The conclusion of our talk broached the idea that to positively change application security outcomes, we will need to change how we engage our software engineers in education & outreach. By putting our engineer’s way-of-working at the forefront of our engagement, we can help teach them software security by allowing them to do what they do best: write code! Today, Duo Security & Hunter2 are excited to release a new service, associated open-source lessons, and two training slide decks to help enable teams to provide a better educational experience.
Rethinking Application Security Education
The Application Security team here at Duo have been building and providing in-house software security trainings for over two years. When we started, the goal was to build a curriculum that people would want to take and tell others to take, too. To motivate us, we decided that training would not be mandatory for anyone. That meant that we’d actually have run trainings that people heard good things about and added real value to their skills. Wild idea, I know!
We offer each of our (currently four) training courses every single quarter, visiting different Duo offices to ensure we can go where our engineers are whenever possible. While the lessons are important, building relationships with the engineers we are here to support is just as crucial. After each class we send out a comprehensive survey to our attendees that allows us to recalibrate our effort on aspects from room logistics, to instructor delivery, to lab difficulty. For us to maintain a great reputation for our trainings, we have to be willing to leverage feedback!
Increasing Developer Engagement via… Development!
Over a year ago, Duo started to evaluate how we could provide on-demand application security education to our engineers to go beyond quarterly trainings. Further, we had been running much of our own lab infrastructure to support trainings that took more effort than was desirable. This led us to discuss with Fletcher Heisler at Hunter2 what his company was up to.
Hunter2 provides an interactive, web-based experience for engineers where they get to use a code editor, interact with a real Linux server, and real application stacks. The platform enables guided lessons that help engineers understand vulnerability classes, exploit them, and most importantly… patch the issues! While it may seem obvious, many “software security” training technologies are actually just penetration testing since they don’t provide an avenue to learn in specific contexts how to actually prevent issues in code. That should be the whole point.
Our team chose this platform for not just the level of interaction engineers have, but because unlike other offerings the labs it comes with are not the end of the road -- we could bring our own lessons, too. That’s a critical feature for our team that enables us to cater specifically to our engineer’s needs and also to keep pace with application security trends more readily.
Growing the Application Security Education Community
Today’s release by Duo Security and Hunter2 involve three core focuses:
The release of Hunter2 Community, which is a free application security learning platform where users can explore guided, interactive lessons provided by the community. The platform will also support having community members submit their own lessons, too.
Duo Security will be open-sourcing six custom lessons that will be accessible via the Hunter2 Community and serve as examples that others can leverage to build their own.
Duo Security will also be releasing for-public-consumption versions of our “Introduction to Application Security” and “Advanced Application Security” training course slide decks.
Fletcher and I are hopeful that we can encourage more application security teams to provide valuable, highly-interactive educational opportunities to their teams. By leveraging all of these resources, teams will have a jumping-off point to start providing more robust trainings, build custom lessons that resonate with their engineers, and contribute back via Hunter2 Community.
Even if your organization doesn’t have an application security team, we’re hopeful that you (our avid reader) will share these opportunities with security-minded engineers or grow passion for software security as an internal champion. Starting from scratch is hard, so we’re excited to share this content as a means to reduce the friction in attempting to spin up such an effort.
We hope you take a chance to check out Hunter2 Community, our open-sourced Hunter2 lessons, and our training slide decks. While we can’t guarantee our curriculum or lessons will be exactly what your team needs, we do think that they will spur conversations that begin a process leading to your own tailored content. Looking for other great content beyond ours? You should take a look at PagerDuty’s fantastic Security Training for Engineers courseware, too.
Software security is a big challenge and progress is moving slowly. Let’s do our best as a community to share more of our own presentations, labs, and passion for helping engineers do their best, most security-minded work.
Oh, and curious what you missed in our talk at Black Hat? Check out our slides or watch the webinar redux of the presentation. We hope they inspire you to take up this important challenge!