Individuals who install, administer or maintain commercial products must understand general corporate policies for secure software configuration, and also the product-specific security guidelines for the products they manage. IT developers who create new software, either for internal use or for commercial distribution, must understand secure system design and coding principles. In particular, they need to recognize the most common categories of security flaws that can arise in the types of software they develop, and know how to avoid them. QA engineers also need security training, since recognizing and efficiently finding security flaws often requires specialized knowledge and tools.
While some companies, whose business is software development, may develop custom security training programs for their staff, many may choose training programs developed by third parties. Organizations that offer security guidelines, such as SANS, often provide training programs that address those guidelines, as do some consulting and security research firms. An organization’s choice of whether to develop custom training programs or rely on third parties will depend not only on cost, but also on the uniqueness of a company’s security policies.
Organizations that develop, customize or configure software should define software security standards, and ensure their IT staff understands and adheres to these practices. Training can be a cost-effective way to fill what can otherwise be a costly gap in the knowledge of most IT staff.