Instaclustr is committed to providing our customers with solutions that maintain their data security, confidentiality, and integrity. Ensuring our product development team has up-to-date training on security tools, techniques, and common pitfalls is a vital part of achieving these outcomes.
When the Open Web Application Security Project (OWASP) released its top 10 web application security risks in 2021, our security team realized that our current Software Engineer Security Training Course was outdated. So we developed a new training course based on OWASP Top10 categorizations. Given Instaclustr’s commitment to open source, it’s no surprise that we soon realized that the core training material could be beneficial to other organizations so decided to release the content publicly. We hope this course will help other organizations improve their security training and improve our own with the community’s help.
Q: What’s Covered in the Course?
To align with the PCI DSS section 6.5 requirements, our Software Engineer Security Training Course is effectively a survey course, briefly covering the key topics and common vulnerabilities relevant to software engineers today. We include all the topics listed within the PCI DSS 6.5.x subsections and each of the CWE/SANS TOP 25 Most Dangerous Software Errors, highlighting where they each fall within the OWASP Top 10 categorization.
As with any survey course, we will not cover every detail. However, we will provide basic knowledge and prepare engineers to undertake additional research in specific areas when the need arises in their day-to-day work. Throughout the slides, we provide more detailed guidance on individual vulnerabilities in the Common Weakness Enumeration (CWE) site, to make it easy for engineers to refer back and then dive into the details when the need arises.
Q: How Can I Adapt This for My Organization?
When thinking about open sourcing our existing training material, we realized that a traditional slide deck file format would not work well for collaboration within a public repository and started looking for alternatives. After evaluating a few options, we selected the Marp (Markdown Presentation Ecosystem) as a format. This format is built on top of the widely used CommonMark variant of Markdown, making it easy to pick up for new contributors, and since it’s plain-text-based, it fits very well with Github’s style of pull-request collaboration. Building with the Marp project also means we can benefit from great features in that ecosystem like its VS Code plugin and the range of export options, including PPTX and PDF.
Within the slide deck content itself, we have marked out specific areas where organization-specific topics are likely valuable to add in when presenting it for a particular organization. Placeholder slides are included, for example, for adding content on how to prevent SQL injection vulnerabilities in your organization’s specific object-relational-mapping system of choice.
Q: What’s It Like to Present?
Within Instaclustr, we present this content, along with content specific to our technology stack, in a 90-minute session. Based on feedback from our Development team, we’re considering spreading it over two sessions in the future, as it’s a lot of content to digest in one sitting. Plus when you’re presenting it for the first time, it’s likely to take a little longer!
Q: How Do I Get Started?
Instaclustr’s Software Engineering Security Training Course is available now on GitHub with a readme detailing how to build the slide deck from their markdown source and edit the slides to make them fit your needs. We very much hope that when you find improvements worth making that you’ll raise a pull request with us so everyone can benefit.