Customers come to us at HackEDU and ask “How much should I spend on Secure Coding Training?” This is a very good question - we can certainly understand the need to know how much to spend for effective training. We at HackEDU have Mid-Cost training, but the truth of the matter is, a Mid-Cost solution might not be the best fit for you. In fact a Free or High-Cost option may be best for you. What this post is going to do is explain the different pricing options and the pros and cons of each type of training at those price points. This way, by the end you will be able to identify the best option for you.
A Fortune 1000 strategy executive once said of CTOs, “If they aren’t spending 70% of their training budget on secure coding training, they should be fired.” However, many CTOs do not focus on secure coding training since they are usually measured on building products and so allocate little of their budget to secure coding training. Although there may be a lack of CTOs who focus on secure coding training, many CISOs want it prioritized. This post will walk through training options (ranging from $0–$1800+ per developer) and discuss the pros and cons of each.
The secure coding training method that is best for your employees greatly depends on your available training budget. If there is no budget set aside for secure coding training, budgeting adjustments may be necessary, as this training is extremely helpful for reducing the number of vulnerabilities in your code.
Training has been shown to have an ROI of 4.4x the total training cost (ROI of Secure Development Training); however, it is important to note that developer engagement and interest in the content are the biggest drivers of training effectiveness. Interactive training that involves problem solving tends to be the most engaging and thus the most effective.
If you cannot convince your organization that secure coding training is vital and deserves funding, you can use free resources to teach your employees important secure coding skills. There are free online resources from organizations such as OWASP that can be used to develop training programs, but as nothing is truly free, it will take time and effort to develop a quality course from the free content available. Also, remember: if your developers are not excited to learn about secure coding, they may not engage with the course materials you put together; therefore, this type of training may not be effective for your team. There are other resources, such as WebGoat (a vulnerability testing web app), that can be used for more hands-on training. These resources, however, are typically developed to provide general knowledge on security testing and may not be updated regularly with the most current security methods. Therefore, because free online training tools may be dated or uninteresting to your developers, they may not suit your company’s needs. In addition, there is considerable effort needed to install these platforms and distribute them to your team. It makes it so solutions like this do not scale easily to large teams.
If your company does have the budget for secure coding training, there are many vendors that can provide training video or slides at a low cost (around $200 per developer). However, while you may save money with these methods, they may not be effective and thus not worth their cost savings.
Developers may fast-forward through the slides to get through them as quickly as possible because they do not find the content engaging. If you have a very large team or only want to provide general training, these methods may be enough to expose your team to secure coding; however, if you have a small development team, it may be worth it to use an alternative solution. Some video and slide only solutions can be as much as $800+, do not spend this on training as there are far more effective solutions available for this price point.
If you have a large training budget, you may want to use in-person training methods, as some people learn best in a classroom environment with a live instructor. However, if in-person training does not have an interactive component, it may not be worth its price, which could be in excess of $1800 per developer. It may not be helpful for your employees to watch someone walk through slides. So, although this would save you the time of developing your own course materials, your employees may still have difficulty engaging with the content.
In-person training, however, may be worth its cost if you have a small development team and find an interactive program. In-person training can be difficult if you have a large team, as the larger your team, the less individual attention each developer receives and you may have to run multiple iterations of the course to make sure everyone gets trained. Scheduling can become unwieldy.
For mid-sized budgets, look for interactive training that teaches new skills to developers. These courses will be more engaging and thus more effective than slides or videos, but are less expensive than in-person training. In addition, it is worth noting that solutions that focus on the offensive side of security have been shown to be more effective than defensive training alone. HackEDU’s training falls into this category. We believe in our mission of ensuring developers have the skills they need to write secure code and want to share it with as many companies as possible. Please contact us to find out how we can help you.
Secure coding training can be worth its weight in gold if the correct type of training is chosen. Therefore, focus on finding a solution that works for your budget and keeps your developers engaged and interested. Try to find a training program that is interactive and teaches both offensive and defensive approaches.