SEC11-BP01 Train for application security

Provide training to the builders in your organization on common practices for the secure development and operation of applications. Adopting security focused development practices helps reduce the likelihood of issues that are only detected at the security review stage.

Desired outcome: Software should be designed and built with security in mind. When the builders in an organization are trained on secure development practices that start with a threat model, it improves the overall quality and security of the software produced. This approach can reduce the time to ship software or features because less rework is needed after the security review stage.

For the purposes of this best practice, secure development refers to the software that is being written and the tools or systems that support the software development lifecycle (SDLC).

Common anti-patterns:

• Waiting until a security review, and then considering the security properties of a system.

• Leaving all security decisions to the security team.

• Failing to communicate how the decisions taken in the SDLC relate to the overall security expectations or policies of the organization.

• Engaging in the security review process too late.

Benefits of establishing this best practice:

• Better knowledge of the organizational requirements for security early in the development cycle.

• Being able to identify and remediate potential security issues faster, resulting in a quicker delivery of features.

• Improved quality of software and systems.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

Provide training to the builders in your organization. Starting off with a course on threat modeling is a good foundation for helping train for security. Ideally, builders should be able to self-serve access to information relevant to their workloads. This access helps them make informed decisions about the security properties of the systems they build without needing to ask another team. The process for engaging the security team for reviews should be clearly defined and simple to follow. The steps in the review process should be included in the security training. Where known implementation patterns or templates are available, they should be simple to find and link to the overall security requirements. Consider using AWS CloudFormation, AWS Cloud Development Kit (AWS CDK) Constructs, Service Catalog, or other templating tools to reduce the need for custom configuration.

Implementation steps

• Start builders with a course on threat modeling to build a good foundation, and help train them on how to think about security.

• Provide access to AWS Training and Certification, industry, or AWS Partner training.

• Provide training on your organization's security review process, which clarifies the division of responsibilities between the security team, workload teams, and other stakeholders.

• Publish self-service guidance on how to meet your security requirements, including code examples and templates, if available.

• Regularly obtain feedback from builder teams on their experience with the security review process and training, and use that feedback to improve.

• Use game days or bug bash campaigns to help reduce the number of issues, and increase the skills of your builders.

Resources

Related best practices:

• SEC11-BP08 Build a program that embeds security ownership in workload teams

Related documents:

• AWS Training and Certification

• How to think about cloud security governance

• How to approach threat modeling

• Accelerating training – The AWS Skills Guild

Related videos:

• Proactive security: Considerations and approaches

Related examples:

• Workshop on threat modeling

• Industry awareness for developers

Related services:

• AWS CloudFormation

• AWS Cloud Development Kit (AWS CDK) (AWS CDK) Constructs

• Service Catalog

• AWS BugBust