Top 4 Ways To Increase Completion Rates for Secure Coding Training
--
Originally posted: https://www.hackedu.com/blog/top-4-ways-to-increase-completion-rates-for-secure-coding-training
It’s indisputable: Secure Coding Training is effective in reducing vulnerabilities in code. That’s why more and more companies are turning to this training to help speed up software deployment and prevent vulnerabilities. However, training can only be effective if the trainees actually take and complete the training, and this is just as much the case for Secure Coding Training as any other type. All the potential benefits of training become diminished if no one wants to complete it — or even start it, as is sometimes the case if accessing the training portal is a struggle.
Security team leaders have told us that a successful roll-out of Secure Coding Training software reflects positively on the team overseeing the operation, and one of the main metrics by which they’re measured is completion rate. So how do you get developers to not only log in, but take and complete their training, which ultimately helps reduce vulnerabilities in your code?
The insights we’ve gained from working with hundreds of organizations and tens of thousands of developers can be distilled into the following list of approaches:
- Accountability
- Offensive Approach
- Hands-on
- Incentives
Accountability
Some organizations use accountability as an enforcement method to ensure that developers take the training. One example is to not allow developers to check in code unless they have completed the training. Many security organizations are hesitant to go down this route because they don’t want to be responsible for delaying product development. However, we’ve observed that the organizations that have buy-in from engineering for this have seen 100% completion rates. For those wary of this heavy handed approach, a milder accountability measure like issuing a reminder when checking in code that the developer hasn’t taken the training helps improve completion rates. Clearly communicating with a developer that they are working on code in production while not fully trained in security can motivate them to complete the training.
