Developer security education products are pointless

Companies in this space are just features, not products or platforms.

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by MD Duran on Unsplash

Security training and education have always been staples of security programs. It makes sense. Employees should know about common threats faced across the companies and some avenues to report any suspicious activity. It also helps with providing a baseline of security knowledge across the organization. However, these trainings have become outdated, especially with a shift in working habits. For example, most of them are focused on an office-based workforce. There are more sophisticated phishing attacks. Most records are digital, and access has become one of the issues. The list goes on.

There’s specifically a focus on more in-depth security education for developers. It’s more emphasized in companies that work in regulated industries. Developers hold access to the application and some of the most sensitive data. This is especially true as more companies rely on technology to run their businesses and store their information. Gone are the days of paper records. Even in companies with paper records, there’s a digital version. Increasingly, a company’s risk is focused on its applications (internal and external) and digital infrastructure, shifting more security risk to the developers. No wonder it’s an important part of many compliance certifications, and it continues to be. However, like broader security education, there have been shifts that affect the effectiveness of developer security education.

What is developer security education?

Before we talk about the specific changes and how they might affect the industry, let’s talk a bit about what developer security education is. It’s focused on teaching developers how to spot vulnerabilities and have secure development practices. Typically, most of these trainings focus on the OWASP Top 10, which is updated annually. That’s also part of the reason companies require developers to do this training annually (on top of the fact that it’s necessary for annual compliance certifications).