SEC11-BP01 Train for application security
Provide training to the builders in your organization on common practices for the secure development and operation of applications. Adopting security focused development practices helps reduce the likelihood of issues that are only detected at the security review stage.
Desired outcome: Software should be designed and built with security in mind. When the builders in an organization are trained on secure development practices that start with a threat model, it improves the overall quality and security of the software produced. This approach can reduce the time to ship software or features because less rework is needed after the security review stage.
For the purposes of this best practice, secure development refers to the software that is being written and the tools or systems that support the software development lifecycle (SDLC).
Common anti-patterns:
-
Waiting until a security review, and then considering the security properties of a system.
-
Leaving all security decisions to the security team.
-
Failing to communicate how the decisions taken in the SDLC relate to the overall security expectations or policies of the organization.
-
Engaging in the security review process too late.
Benefits of establishing this best practice:
-
Better knowledge of the organizational requirements for security early in the development cycle.
-
Being able to identify and remediate potential security issues faster, resulting in a quicker delivery of features.
-
Improved quality of software and systems.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
Provide training to the builders in your organization. Starting off with a course on
threat modeling
Implementation steps
-
Start builders with a course on threat modeling
to build a good foundation, and help train them on how to think about security. -
Provide access to AWS Training and Certification
, industry, or AWS Partner training. -
Provide training on your organization's security review process, which clarifies the division of responsibilities between the security team, workload teams, and other stakeholders.
-
Publish self-service guidance on how to meet your security requirements, including code examples and templates, if available.
-
Regularly obtain feedback from builder teams on their experience with the security review process and training, and use that feedback to improve.
-
Use game days or bug bash campaigns to help reduce the number of issues, and increase the skills of your builders.
Resources
Related best practices:
Related documents:
Related videos:
Related examples:
Related services: