Software Security Training (BSIMM6 Part 4)

“Without continual growth and progress, such words as improvement, achievement, and success have no meaning." – Benjamin Franklin


The Software Security Training practice is the third and last practice of the BSIMM6 Governance domain. The goal of this practice is to create knowledgeable team members across the firm. Besides providing everyone with the foundational knowledge of software security, it is critically important to establish role-based knowledge that specifically addresses the skills required to perform the Secure Software Development Life-Cycle (SSDL) activities. More information about the Training practice can be found here. The full BSIMM6 is available under the creative commons and can be downloaded at

Practice: Software Security Training

The governance domain contains practices that help organize, manage, and measure a software security initiative. Software Security Training, the third of three practices in the governance domain aims at providing the necessary training for all stakeholders of the SSDL such as Business Analysts, Architects, Developers and Testers.

In the first part of this blog series it was established that BSIMM6 activities are categorized in maturity levels ranging from low maturity (level 1) to high maturity (level 3). This article focuses on the foundational activities (maturity level 1), however if you want to learn more about the activities in maturity level 2 and 3 visit the Software Security Training section at the official BSIMM6 website.

Provide awareness training

Out of all activities in this Training practice, this one has been observed in most organizations.
If you are not doing this activity yet, then it is a good place to start.

The Software Security Group (SSG) provides awareness training for everyone that is involved in the Software Development Life-Cycle (SDLC). The software security awareness training should cover the benefit of software security initiatives, high-level concepts of software security, as well as explain how security risks affect the information assets of the firm.

Deliver role-specific advanced curriculum

After establishing the foundational training, the curriculum is extended to provide role-based training that is specific to the role of the trainee. Different training content is provided for Java developers and .NET developers that dives into the the technology specific vulnerabilities and best practices to avoid them. Training has to be provided for other roles than developers such as architects, QA and even executives.

Create and use material specific to company history

While most of the content for the activities above is generic, this activity includes content specific to the company's history. Former attacks against the company, the root cause of the issue and how it can be avoided is one example of this. Additionally, using application specific code review or pentesting results to cover common vulnerabilities with the responsible development team will ensure high engagement.

Deliver on-demand individual training

While having an extensive instructor led training curriculum is important, on-demand individual training lowers the burden on trainers and allows scaling the training across an organisation. On-demand training builds the foundation for many of the level 2 and 3 maturity activities. However, be mindful that on-demand training is not always the best fit for every topic and skill.

Start. Stop. Continue.

Consider the following strategy:

  • Start: Delivering on-demand training to allow scaling the training efforts.
  • Stop: Neglecting the importance of software security training.
  • Continue: Providing training to all stakeholders on software security foundations.

How does your software security initiative compare with your industry peers? Contact us to find out.