DevSecOps Security Culture and Training
Overview
DevSecOps security culture and training form the foundation of an effective security program, transforming security from a compliance requirement into an integral part of the development process. This article explores how to build and maintain a strong security culture that empowers development teams to take ownership of security while maintaining development velocity.
Building Security Culture
Understanding Security Culture
The Foundation of Security Culture
Security culture in DevSecOps environments is fundamentally different from traditional security approaches. It's about creating an environment where security is everyone's responsibility, not just the security team's:
PYTHON
# Example: Security culture assessment framework
import json
from datetime import datetime
from typing import Dict, List, Any
from dataclasses import dataclass
@dataclass
class CultureAssessment:
team_name: str
assessment_date: datetime
culture_dimensions: Dict[str, float]
overall_score: float
recommendations: List[str]
class SecurityCultureAssessment:
"""
Framework for assessing and building security culture
"""
def __init__(self):
self.culture_dimensions = {
'awareness': 'Security awareness and knowledge',
'responsibility': 'Sense of security ownership',
'communication': 'Security communication practices',
'learning': 'Continuous security learning',
'collaboration': 'Security collaboration',
'accountability': 'Security accountability',
'innovation': 'Security innovation mindset',
'trust': 'Trust in security processes'
}
self.assessment_questions = self.define_assessment_questions()
self.culture_indicators = self.define_culture_indicators()
def define_assessment_questions(self) -> Dict[str, List[str]]:
"""
Define questions for security culture assessment
"""
return {
'awareness': [
'How familiar are you with common security vulnerabilities?',
'Do you know how to identify potential security issues in code?',
'Are you aware of the security policies and procedures?',
'Do you understand the business impact of security incidents?'
],
'responsibility': [
'Do you feel personally responsible for security in your code?',
'Would you stop a deployment if you found a security issue?',
'Do you proactively look for security improvements?',
'Do you take ownership of security incidents related to your work?'
],
'communication': [
'Do you feel comfortable reporting security concerns?',
'Is security discussed regularly in team meetings?',
'Do you receive timely feedback on security issues?',
'Are security lessons learned shared across teams?'
],
'learning': [
'Do you regularly participate in security training?',
'Do you stay updated on the latest security threats?',
'Do you learn from security incidents and mistakes?',
'Are security best practices shared and discussed?'
],
'collaboration': [
'Do you collaborate with security team members?',
'Are security concerns addressed as a team?',
'Do you share security knowledge with colleagues?',
'Is there cross-team security collaboration?'
],
'accountability': [
'Are security responsibilities clearly defined?',
'Are security metrics tracked and reviewed?',
'Are security incidents properly investigated?',
'Are security improvements recognized and rewarded?'
],
'innovation': [
'Are new security tools and techniques encouraged?',
'Is experimentation with security approaches welcomed?',
'Are security automation initiatives supported?',
'Is continuous security improvement valued?'
],
'trust': [
'Do you trust the security processes and tools?',
'Are security decisions transparent?',
'Is blame avoided in security incidents?',
'Are security team members accessible and helpful?'
]
}
def define_culture_indicators(self) -> Dict[str, List[str]]:
"""
Define positive and negative indicators for security culture
"""
return {
'positive_indicators': [
'Security is discussed proactively',
'Team members report security concerns without fear',
'Security issues are addressed collaboratively',
'Security training is actively participated in',
'Security automation is implemented and used',
'Security champions emerge organically',
'Security metrics are understood and improved',
'Security incidents are treated as learning opportunities'
],
'negative_indicators': [
'Security is seen as a blocker to development',
'Security concerns are ignored or downplayed',
'Security incidents are blamed on individuals',
'Security training is treated as a compliance checkbox',
'Security tools are disabled or bypassed',
'Security responsibilities are unclear',
'Security metrics are not tracked or understood',
'Security team is seen as an adversary'
]
}
def assess_team_culture(self, team_responses: Dict[str, List[int]]) -> CultureAssessment:
"""
Assess team security culture based on responses
"""
culture_scores = {}
for dimension, responses in team_responses.items():
if responses:
# Calculate average score for this dimension (assuming responses are on 1-5 scale)
avg_score = sum(responses) / len(responses)
culture_scores[dimension] = avg_score
else:
culture_scores[dimension] = 0.0
# Calculate overall score
overall_score = sum(culture_scores.values()) / len(culture_scores) if culture_scores else 0.0
# Generate recommendations based on scores
recommendations = self.generate_recommendations(culture_scores)
return CultureAssessment(
team_name="Sample Team",
assessment_date=datetime.utcnow(),
culture_dimensions=culture_scores,
overall_score=overall_score,
recommendations=recommendations
)
def generate_recommendations(self, culture_scores: Dict[str, float]) -> List[str]:
"""
Generate recommendations based on culture assessment
"""
recommendations = []
# Add recommendations for dimensions scoring below threshold (3.0 on 5-point scale)
thresholds = {
'awareness': 3.5,
'responsibility': 3.5,
'communication': 3.5,
'learning': 3.5,
'collaboration': 3.5,
'accountability': 3.0,
'innovation': 3.0,
'trust': 3.5
}
for dimension, score in culture_scores.items():
if score < thresholds.get(dimension, 3.0):
recommendations.append(
f"Improve {dimension.replace('_', ' ').title()} (current score: {score:.1f})"
)
# Add specific recommendations based on scores
if culture_scores.get('awareness', 0) < 3.0:
recommendations.extend([
"Implement regular security awareness training",
"Create security knowledge base and resources",
"Conduct security workshops and demos"
])
if culture_scores.get('responsibility', 0) < 3.0:
recommendations.extend([
"Clarify security responsibilities in job roles",
"Implement security ownership in code reviews",
"Create security champions program"
])
if culture_scores.get('communication', 0) < 3.0:
recommendations.extend([
"Establish regular security communication channels",
"Create psychological safety for reporting concerns",
"Implement security discussion in standups"
])
if culture_scores.get('collaboration', 0) < 3.0:
recommendations.extend([
"Facilitate collaboration between dev and security teams",
"Create cross-functional security working groups",
"Implement joint security planning sessions"
])
return recommendations
def measure_culture_improvement(self, baseline: CultureAssessment, current: CultureAssessment) -> Dict[str, Any]:
"""
Measure improvement in security culture over time
"""
improvement_metrics = {}
for dimension in self.culture_dimensions.keys():
baseline_score = baseline.culture_dimensions.get(dimension, 0)
current_score = current.culture_dimensions.get(dimension, 0)
change = current_score - baseline_score
improvement_metrics[dimension] = {
'baseline': baseline_score,
'current': current_score,
'change': change,
'improvement': 'positive' if change > 0.1 else 'negative' if change < -0.1 else 'stable'
}
overall_change = current.overall_score - baseline.overall_score
return {
'overall_improvement': {
'baseline': baseline.overall_score,
'current': current.overall_score,
'change': overall_change,
'status': 'improved' if overall_change > 0.2 else 'declined' if overall_change < -0.2 else 'stable'
},
'dimensional_improvements': improvement_metrics,
'time_period': {
'start': baseline.assessment_date.isoformat(),
'end': current.assessment_date.isoformat()
}
}
# Example usage
def run_culture_assessment():
"""
Example of running security culture assessment
"""
assessment = SecurityCultureAssessment()
# Sample team responses (scores from 1-5 scale)
sample_responses = {
'awareness': [4, 3, 4, 5, 4], # Average: 4.0
'responsibility': [3, 4, 3, 4, 3], # Average: 3.4
'communication': [4, 4, 5, 4, 4], # Average: 4.2
'learning': [3, 4, 3, 4, 3], # Average: 3.4
'collaboration': [4, 3, 4, 3, 4], # Average: 3.6
'accountability': [4, 4, 4, 5, 4], # Average: 4.2
'innovation': [3, 3, 4, 3, 3], # Average: 3.2
'trust': [4, 4, 4, 4, 5] # Average: 4.2
}
# Run assessment
result = assessment.assess_team_culture(sample_responses)
print(f"Security Culture Assessment Results:")
print(f"Overall Score: {result.overall_score:.2f}/5.0")
print(f"Recommendations: {len(result.recommendations)}")
for i, rec in enumerate(result.recommendations, 1):
print(f" {i}. {rec}")
return result
# Run example
# result = run_culture_assessment()Security Mindset Transformation
Transforming the security mindset from "security vs. development" to "security enables development":
PYTHON
# Example: Security mindset transformation program
class SecurityMindsetTransformation:
"""
Program for transforming security mindset in development teams
"""
def __init__(self):
self.mindset_shifts = self.define_mindset_shifts()
self.transformation_phases = self.define_transformation_phases()
self.success_metrics = self.define_success_metrics()
def define_mindset_shifts(self) -> Dict[str, Dict[str, str]]:
"""
Define key mindset shifts needed for security culture
"""
return {
'shift_1': {
'old_mindset': 'Security is the security team\'s job',
'new_mindset': 'Security is everyone\'s shared responsibility',
'impact': 'Increases security ownership across all team members'
},
'shift_2': {
'old_mindset': 'Security slows down development',
'new_mindset': 'Security enables faster, more reliable development',
'impact': 'Reduces security as a bottleneck to delivery'
},
'shift_3': {
'old_mindset': 'Security is about compliance and audits',
'new_mindset': 'Security is about protecting customers and business',
'impact': 'Creates emotional investment in security outcomes'
},
'shift_4': {
'old_mindset': 'Security incidents are someone\'s fault',
'new_mindset': 'Security incidents are learning opportunities',
'impact': 'Encourages reporting and continuous improvement'
},
'shift_5': {
'old_mindset': 'Security is a phase in the development cycle',
'new_mindset': 'Security is integrated throughout the development cycle',
'impact': 'Shifts security left in the development process'
},
'shift_6': {
'old_mindset': 'Security tools are imposed restrictions',
'new_mindset': 'Security tools are enablers of secure development',
'impact': 'Increases adoption and proper use of security tools'
}
}
def define_transformation_phases(self) -> Dict[str, Dict[str, Any]]:
"""
Define phases of security mindset transformation
"""
return {
'awareness': {
'duration_weeks': 4,
'activities': [
'Security awareness workshops',
'Threat landscape presentations',
'Security incident case studies',
'Security policy reviews'
],
'objectives': [
'Increase security awareness',
'Understand business impact of security',
'Recognize common security threats'
],
'success_criteria': 'Team demonstrates basic security awareness'
},
'engagement': {
'duration_weeks': 8,
'activities': [
'Hands-on security training',
'Security tool demonstrations',
'Secure coding workshops',
'Security-focused code reviews'
],
'objectives': [
'Apply security knowledge practically',
'Use security tools effectively',
'Identify security issues in code'
],
'success_criteria': 'Team can identify and address basic security issues'
},
'ownership': {
'duration_weeks': 12,
'activities': [
'Security champion training',
'Incident response participation',
'Security metric ownership',
'Security process improvement'
],
'objectives': [
'Take ownership of security in their domain',
'Mentor others on security practices',
'Drive security improvements'
],
'success_criteria': 'Team members act as security advocates'
},
'innovation': {
'duration_weeks': 16,
'activities': [
'Security automation projects',
'Process improvement initiatives',
'Security tool evaluations',
'Cross-team security collaboration'
],
'objectives': [
'Innovate security solutions',
'Improve security processes',
'Share security knowledge organization-wide'
],
'success_criteria': 'Team contributes to organizational security maturity'
}
}
def define_success_metrics(self) -> Dict[str, Dict[str, Any]]:
"""
Define metrics for measuring mindset transformation success
"""
return {
'cultural_metrics': {
'security_awareness_score': {
'description': 'Average score on security awareness assessments',
'target': 4.0, # out of 5
'measurement_frequency': 'quarterly'
},
'security_responsibility_score': {
'description': 'Team\'s sense of security ownership',
'target': 4.0, # out of 5
'measurement_frequency': 'quarterly'
},
'security_collaboration_score': {
'description': 'Effectiveness of security collaboration',
'target': 4.0, # out of 5
'measurement_frequency': 'quarterly'
}
},
'behavioral_metrics': {
'security_issues_identified': {
'description': 'Number of security issues identified by team',
'target': 10, # per quarter
'measurement_frequency': 'quarterly'
},
'security_training_completion': {
'description': 'Percentage of team completing security training',
'target': 100, # percentage
'measurement_frequency': 'monthly'
},
'security_champions_active': {
'description': 'Number of active security champions',
'target': 1, # per team of 10
'measurement_frequency': 'monthly'
}
},
'outcome_metrics': {
'vulnerability_density': {
'description': 'Security vulnerabilities per thousand lines of code',
'target': 2.0,
'measurement_frequency': 'monthly'
},
'mean_time_to_detect': {
'description': 'Average time to detect security issues',
'target': 4.0, # hours
'measurement_frequency': 'monthly'
},
'security_incidents': {
'description': 'Number of security incidents per quarter',
'target': 2,
'measurement_frequency': 'quarterly'
}
}
}
def create_transformation_plan(self, team_size: int, current_maturity: str) -> Dict[str, Any]:
"""
Create a transformation plan for a team
"""
plan = {
'team_size': team_size,
'current_maturity': current_maturity,
'transformation_timeline': self.calculate_timeline(current_maturity),
'recommended_activities': [],
'success_milestones': [],
'resource_requirements': {
'training_hours': 0,
'tools_licenses': 0,
'external_consultants': 0
}
}
# Calculate timeline based on current maturity
maturity_timelines = {
'beginner': 40, # weeks
'intermediate': 32, # weeks
'advanced': 24 # weeks
}
total_weeks = maturity_timelines.get(current_maturity, 40)
plan['total_duration_weeks'] = total_weeks
# Add activities for each phase
for phase_name, phase_details in self.transformation_phases.items():
phase_start = sum(p['duration_weeks'] for p in list(self.transformation_phases.values())[:list(self.transformation_phases.keys()).index(phase_name)])
phase_end = phase_start + phase_details['duration_weeks']
phase_info = {
'phase': phase_name,
'duration_weeks': phase_details['duration_weeks'],
'start_week': phase_start,
'end_week': phase_end,
'activities': phase_details['activities'],
'objectives': phase_details['objectives']
}
plan['recommended_activities'].append(phase_info)
# Calculate resource requirements
plan['resource_requirements']['training_hours'] += len(phase_details['activities']) * team_size * 4 # 4 hours per activity
plan['resource_requirements']['tools_licenses'] += 1 if phase_name in ['engagement', 'ownership'] else 0
# Define success milestones
plan['success_milestones'] = [
{
'milestone': 'Awareness Phase Complete',
'week': 4,
'criteria': 'Team demonstrates basic security awareness',
'metrics': ['security_awareness_score']
},
{
'milestone': 'Engagement Phase Complete',
'week': 12,
'criteria': 'Team can identify and address basic security issues',
'metrics': ['security_issues_identified', 'security_training_completion']
},
{
'milestone': 'Ownership Phase Complete',
'week': 24,
'criteria': 'Team members act as security advocates',
'metrics': ['security_champions_active', 'security_collaboration_score']
},
{
'milestone': 'Innovation Phase Complete',
'week': 40,
'criteria': 'Team contributes to organizational security maturity',
'metrics': ['vulnerability_density', 'mean_time_to_detect']
}
]
return plan
def calculate_timeline(self, current_maturity: str) -> Dict[str, Any]:
"""
Calculate transformation timeline
"""
timeline = {
'current_state': current_maturity,
'target_state': 'security_champion',
'total_duration': self.transformation_phases['awareness']['duration_weeks'] +
self.transformation_phases['engagement']['duration_weeks'] +
self.transformation_phases['ownership']['duration_weeks'] +
self.transformation_phases['innovation']['duration_weeks'],
'phase_durations': {phase: details['duration_weeks'] for phase, details in self.transformation_phases.items()}
}
return timeline
# Example usage
def create_transformation_plan():
"""
Example of creating a security mindset transformation plan
"""
transformation = SecurityMindsetTransformation()
# Create plan for a team of 8 developers at beginner maturity level
plan = transformation.create_transformation_plan(
team_size=8,
current_maturity='beginner'
)
print(f"Security Mindset Transformation Plan:")
print(f"Team Size: {plan['team_size']}")
print(f"Current Maturity: {plan['current_maturity']}")
print(f"Total Duration: {plan['total_duration_weeks']} weeks")
print(f"Resource Requirements:")
print(f" Training Hours: {plan['resource_requirements']['training_hours']}")
print(f" Tool Licenses: {plan['resource_requirements']['tools_licenses']}")
print(f"\nTransformation Phases:")
for activity in plan['recommended_activities']:
print(f" {activity['phase'].title()} ({activity['duration_weeks']} weeks, weeks {activity['start_week']}-{activity['end_week']}):")
for act in activity['activities']:
print(f" - {act}")
print(f"\nSuccess Milestones:")
for milestone in plan['success_milestones']:
print(f" Week {milestone['week']}: {milestone['milestone']}")
return plan
# Run example
# plan = create_transformation_plan()Creating Psychological Safety
Building Trust for Security Discussions
Creating an environment where team members feel safe to discuss security concerns:
PYTHON
# Example: Psychological safety for security framework
class PsychologicalSafetyForSecurity:
"""
Framework for creating psychological safety around security discussions
"""
def __init__(self):
self.safety_principles = self.define_safety_principles()
self.trust_building_activities = self.define_trust_activities()
self.safety_metrics = self.define_safety_metrics()
def define_safety_principles(self) -> Dict[str, str]:
"""
Define principles for psychological safety in security contexts
"""
return {
'no_blame_incident_response': 'Focus on system improvements, not individual blame',
'open_discussion_encouraged': 'Encourage open discussion of security concerns',
'learning_from_mistakes': 'Treat security mistakes as learning opportunities',
'accessible_security_team': 'Make security team approachable and helpful',
'constructive_feedback': 'Provide constructive feedback on security issues',
'inclusive_decision_making': 'Include development teams in security decisions',
'transparency_in_communication': 'Be transparent about security processes and decisions',
'support_for_reporting': 'Support and reward security issue reporting'
}
def define_trust_activities(self) -> Dict[str, List[str]]:
"""
Define activities that build trust and psychological safety
"""
return {
'team_building': [
'Security-focused team lunches',
'Cross-team collaboration sessions',
'Security book clubs',
'Security hackathons'
],
'communication_practices': [
'Security office hours',
'Anonymous security suggestion box',
'Security champions program',
'Regular security town halls'
],
'incident_response_practices': [
'No-blame postmortems',
'Learning-focused incident reviews',
'Cross-team incident response',
'Incident response training'
],
'feedback_mechanisms': [
'Security feedback sessions',
'Tool usability reviews',
'Process improvement workshops',
'Security survey feedback'
]
}
def define_safety_metrics(self) -> Dict[str, Dict[str, Any]]:
"""
Define metrics for measuring psychological safety in security contexts
"""
return {
'reporting_metrics': {
'security_issues_reported': {
'description': 'Number of security issues reported by development teams',
'target': 'increasing trend',
'measurement_frequency': 'monthly'
},
'near_misses_reported': {
'description': 'Number of potential security issues reported before exploitation',
'target': 'increasing trend',
'measurement_frequency': 'monthly'
},
'security_concerns_raised': {
'description': 'Number of security concerns raised in team meetings',
'target': 'increasing trend',
'measurement_frequency': 'monthly'
}
},
'participation_metrics': {
'security_training_attendance': {
'description': 'Attendance rate for voluntary security training',
'target': 80, # percentage
'measurement_frequency': 'monthly'
},
'security_champions_active': {
'description': 'Number of active security champions',
'target': 1, # per team of 10
'measurement_frequency': 'monthly'
},
'security_tool_adoption': {
'description': 'Percentage of developers using security tools',
'target': 90, # percentage
'measurement_frequency': 'monthly'
}
},
'culture_metrics': {
'psychological_safety_score': {
'description': 'Team\'s psychological safety score regarding security',
'target': 4.0, # out of 5
'measurement_frequency': 'quarterly'
},
'security_collaboration_score': {
'description': 'Effectiveness of collaboration between dev and security teams',
'target': 4.0, # out of 5
'measurement_frequency': 'quarterly'
},
'security_trust_score': {
'description': 'Trust in security team and processes',
'target': 4.0, # out of 5
'measurement_frequency': 'quarterly'
}
}
}
def create_safety_building_plan(self, team_size: int) -> Dict[str, Any]:
"""
Create a plan for building psychological safety around security
"""
plan = {
'team_size': team_size,
'safety_principles': list(self.safety_principles.keys()),
'recommended_activities': [],
'implementation_timeline': {},
'success_indicators': []
}
# Add activities based on team size
activities_per_size = {
'small': ['team_building', 'communication_practices'], # 1-5 members
'medium': ['team_building', 'communication_practices', 'incident_response_practices'], # 6-10 members
'large': ['all'] # 11+ members
}
if team_size <= 5:
activity_categories = activities_per_size['small']
elif team_size <= 10:
activity_categories = activities_per_size['medium']
else:
activity_categories = activities_per_size['large']
for category in activity_categories if 'all' not in activity_categories else self.trust_building_activities.keys():
for activity in self.trust_building_activities[category]:
plan['recommended_activities'].append({
'category': category,
'activity': activity,
'recommended_frequency': self.determine_frequency(activity),
'estimated_effort_hours': self.estimate_effort(activity, team_size)
})
# Create implementation timeline
plan['implementation_timeline'] = {
'months_1_2': 'Establish communication practices and team building',
'months_3_4': 'Implement feedback mechanisms and incident response practices',
'months_5_6': 'Evaluate and refine safety measures'
}
# Define success indicators
plan['success_indicators'] = [
'Increase in security issues reported by development teams',
'Improvement in psychological safety scores',
'Higher attendance at voluntary security training',
'More proactive security discussions in team meetings',
'Positive feedback on collaboration with security team'
]
return plan
def determine_frequency(self, activity: str) -> str:
"""
Determine recommended frequency for an activity
"""
frequency_map = {
'Security office hours': 'weekly',
'Security-focused team lunches': 'bi-weekly',
'Cross-team collaboration sessions': 'monthly',
'Security book clubs': 'monthly',
'Security hackathons': 'quarterly',
'Anonymous security suggestion box': 'continuous',
'Security champions program': 'continuous',
'Regular security town halls': 'monthly',
'No-blame postmortems': 'as needed',
'Learning-focused incident reviews': 'as needed',
'Cross-team incident response': 'as needed',
'Incident response training': 'quarterly',
'Security feedback sessions': 'monthly',
'Tool usability reviews': 'quarterly',
'Process improvement workshops': 'quarterly',
'Security survey feedback': 'quarterly'
}
return frequency_map.get(activity, 'monthly')
def estimate_effort(self, activity: str, team_size: int) -> int:
"""
Estimate effort required for an activity
"""
base_effort = {
'Security office hours': 2, # hours per session
'Security-focused team lunches': 1, # hour per session
'Cross-team collaboration sessions': 4, # hours per session
'Security book clubs': 2, # hours per session
'Security hackathons': 8, # hours per event
'Anonymous security suggestion box': 0.5, # hours of management per month
'Security champions program': 1, # hours per champion per month
'Regular security town halls': 2, # hours per session
'No-blame postmortems': 4, # hours per incident
'Learning-focused incident reviews': 3, # hours per incident
'Cross-team incident response': 2, # hours per incident
'Incident response training': 4, # hours per session
'Security feedback sessions': 2, # hours per session
'Tool usability reviews': 3, # hours per review
'Process improvement workshops': 4, # hours per session
'Security survey feedback': 1 # hours of analysis per survey
}
effort = base_effort.get(activity, 2) # default to 2 hours
# Adjust effort based on team size
if 'per session' in activity or 'per event' in activity:
effort *= min(team_size, 20) # cap at 20 people to avoid excessive effort
return effort
# Example usage
def create_safety_plan():
"""
Example of creating a psychological safety plan for security
"""
safety_framework = PsychologicalSafetyForSecurity()
# Create plan for a team of 6 developers
plan = safety_framework.create_safety_building_plan(team_size=6)
print(f"Psychological Safety Plan for Security (Team Size: {plan['team_size']}):")
print(f"Recommended Activities: {len(plan['recommended_activities'])}")
for activity in plan['recommended_activities']:
print(f" - {activity['activity']} ({activity['category']}) - {activity['recommended_frequency']}, ~{activity['estimated_effort_hours']} hours")
print(f"\nImplementation Timeline:")
for period, activities in plan['implementation_timeline'].items():
print(f" {period}: {activities}")
print(f"\nSuccess Indicators:")
for indicator in plan['success_indicators']:
print(f" - {indicator}")
return plan
# Run example
# plan = create_safety_plan()Security Training Programs
Comprehensive Security Training Curriculum
Training Program Structure
PYTHON
# Example: Comprehensive security training program
import json
from datetime import datetime, timedelta
from typing import Dict, List, Any
from dataclasses import dataclass
@dataclass
class TrainingModule:
id: str
title: str
description: str
duration_hours: int
difficulty_level: str
target_audience: List[str]
prerequisites: List[str]
learning_objectives: List[str]
hands_on_exercises: List[str]
class SecurityTrainingProgram:
"""
Comprehensive security training program for DevSecOps
"""
def __init__(self):
self.curriculum = self.define_curriculum()
self.training_paths = self.define_training_paths()
self.assessment_methods = self.define_assessment_methods()
self.progress_tracking = {}
def define_curriculum(self) -> Dict[str, TrainingModule]:
"""
Define comprehensive security training curriculum
"""
return {
'security_fundamentals': TrainingModule(
id='sec-fund-001',
title='Security Fundamentals',
description='Core security concepts and principles',
duration_hours=8,
difficulty_level='beginner',
target_audience=['developers', 'devops', 'qa'],
prerequisites=[],
learning_objectives=[
'Understand basic security concepts',
'Recognize common security threats',
'Identify security responsibilities',
'Apply security mindset to development'
],
hands_on_exercises=[
'Security threat identification exercise',
'Basic vulnerability assessment',
'Security requirement analysis'
]
),
'secure_coding': TrainingModule(
id='sec-code-001',
title='Secure Coding Practices',
description='Writing secure code and avoiding common vulnerabilities',
duration_hours=16,
difficulty_level='intermediate',
target_audience=['developers'],
prerequisites=['security_fundamentals'],
learning_objectives=[
'Implement secure coding techniques',
'Avoid common coding vulnerabilities',
'Use secure libraries and frameworks',
'Conduct security code reviews'
],
hands_on_exercises=[
'OWASP Top 10 vulnerability fixes',
'Secure authentication implementation',
'Input validation exercises',
'Security testing automation'
]
),
'devsecops_tools': TrainingModule(
id='devsecops-tools-001',
title='DevSecOps Security Tools',
description='Using security tools in CI/CD pipelines',
duration_hours=12,
difficulty_level='intermediate',
target_audience=['devops', 'developers'],
prerequisites=['security_fundamentals'],
learning_objectives=[
'Integrate security tools in pipelines',
'Configure security scanning tools',
'Interpret security scan results',
'Implement security quality gates'
],
hands_on_exercises=[
'SAST tool integration',
'Dependency scanning setup',
'Security policy configuration',
'Automated security testing'
]
),
'container_security': TrainingModule(
id='container-sec-001',
title='Container Security',
description='Securing containerized applications',
duration_hours=10,
difficulty_level='intermediate',
target_audience=['devops', 'developers'],
prerequisites=['devsecops_tools'],
learning_objectives=[
'Create secure container images',
'Configure container runtime security',
'Implement container orchestration security',
'Scan container vulnerabilities'
],
hands_on_exercises=[
'Secure Dockerfile creation',
'Container runtime security configuration',
'Kubernetes security policy setup',
'Container image scanning'
]
),
'cloud_security': TrainingModule(
id='cloud-sec-001',
title='Cloud Security',
description='Securing cloud infrastructure and applications',
duration_hours=14,
difficulty_level='intermediate',
target_audience=['devops', 'developers'],
prerequisites=['devsecops_tools'],
learning_objectives=[
'Implement cloud security best practices',
'Configure cloud security services',
'Manage cloud identities and access',
'Monitor cloud security posture'
],
hands_on_exercises=[
'IAM policy configuration',
'Cloud security group setup',
'Encryption key management',
'Cloud security monitoring'
]
),
'incident_response': TrainingModule(
id='incident-resp-001',
title='Security Incident Response',
description='Responding to and managing security incidents',
duration_hours=8,
difficulty_level='intermediate',
target_audience=['developers', 'devops', 'security'],
prerequisites=['security_fundamentals'],
learning_objectives=[
'Identify security incidents',
'Follow incident response procedures',
'Contain and remediate incidents',
'Document and learn from incidents'
],
hands_on_exercises=[
'Incident simulation exercises',
'Forensic analysis practice',
'Communication protocol practice',
'Post-incident review simulation'
]
),
'compliance_automation': TrainingModule(
id='compliance-auto-001',
title='Compliance Automation',
description='Automating compliance in DevSecOps pipelines',
duration_hours=10,
difficulty_level='advanced',
target_audience=['devops', 'developers', 'compliance'],
prerequisites=['devsecops_tools', 'cloud_security'],
learning_objectives=[
'Implement compliance as code',
'Automate compliance checking',
'Generate compliance reports',
'Integrate compliance in pipelines'
],
hands_on_exercises=[
'Policy as code implementation',
'Compliance scanning automation',
'Report generation automation',
'Compliance quality gates'
]
),
'security_architecture': TrainingModule(
id='sec-arch-001',
title='Security Architecture',
description='Designing secure system architectures',
duration_hours=12,
difficulty_level='advanced',
target_audience=['architects', 'senior developers'],
prerequisites=['secure_coding', 'cloud_security'],
learning_objectives=[
'Design secure system architectures',
'Implement security patterns',
'Evaluate security trade-offs',
'Conduct security architecture reviews'
],
hands_on_exercises=[
'Secure architecture design',
'Threat modeling exercises',
'Security pattern implementation',
'Architecture risk assessment'
]
)
}
def define_training_paths(self) -> Dict[str, Dict[str, Any]]:
"""
Define training paths for different roles
"""
return {
'developer_path': {
'name': 'Developer Security Training Path',
'description': 'Security training for software developers',
'modules': [
'security_fundamentals',
'secure_coding',
'devsecops_tools',
'incident_response'
],
'total_duration': 44,
'prerequisites': [],
'career_benefits': [
'Write more secure code',
'Reduce security vulnerabilities',
'Improve application security posture',
'Enhance career prospects'
]
},
'devops_path': {
'name': 'DevOps Security Training Path',
'description': 'Security training for DevOps engineers',
'modules': [
'security_fundamentals',
'devsecops_tools',
'container_security',
'cloud_security',
'incident_response'
],
'total_duration': 54,
'prerequisites': [],
'career_benefits': [
'Build secure CI/CD pipelines',
'Implement infrastructure security',
'Manage cloud security effectively',
'Lead security automation initiatives'
]
},
'security_champion_path': {
'name': 'Security Champion Training Path',
'description': 'Advanced training for security champions',
'modules': [
'security_fundamentals',
'secure_coding',
'devsecops_tools',
'container_security',
'cloud_security',
'incident_response',
'compliance_automation',
'security_architecture'
],
'total_duration': 96,
'prerequisites': ['developer_path', 'devops_path'],
'career_benefits': [
'Lead security initiatives',
'Mentor team members on security',
'Design security architecture',
'Drive organizational security culture'
]
}
}
def define_assessment_methods(self) -> Dict[str, Dict[str, Any]]:
"""
Define methods for assessing training effectiveness
"""
return {
'knowledge_checks': {
'type': 'quiz',
'frequency': 'per_module',
'passing_score': 80,
'question_types': ['multiple_choice', 'true_false', 'scenario_based']
},
'hands_on_assessments': {
'type': 'practical',
'frequency': 'per_module',
'passing_criteria': 'successful_completion_of_exercises',
'evaluation_method': 'peer_review_and_mentor_feedback'
},
'capstone_projects': {
'type': 'project',
'frequency': 'end_of_path',
'requirements': 'implement_security_solution_for_real_scenario',
'evaluation': 'security_team_review'
},
'continuous_learning': {
'type': 'ongoing',
'frequency': 'monthly',
'requirements': 'complete_security_training_hours',
'tracking': 'learning_management_system'
}
}
def enroll_learner(self, learner_id: str, training_path: str, start_date: datetime = None) -> Dict[str, Any]:
"""
Enroll a learner in a training path
"""
if start_date is None:
start_date = datetime.utcnow()
path_info = self.training_paths.get(training_path)
if not path_info:
raise ValueError(f"Training path {training_path} not found")
enrollment = {
'learner_id': learner_id,
'training_path': training_path,
'start_date': start_date.isoformat(),
'modules': [
{
'module_id': module_id,
'module_info': self.curriculum.get(module_id).__dict__ if self.curriculum.get(module_id) else {},
'status': 'not_started',
'progress': 0,
'completion_date': None,
'assessment_results': {}
}
for module_id in path_info['modules']
],
'overall_progress': 0,
'estimated_completion': (start_date + timedelta(
days=path_info['total_duration'] # Assuming 1 day per hour for estimation
)).isoformat(),
'status': 'in_progress'
}
self.progress_tracking[learner_id] = enrollment
return enrollment
def update_module_progress(self, learner_id: str, module_id: str, progress: int, status: str = None) -> Dict[str, Any]:
"""
Update progress for a specific module
"""
if learner_id not in self.progress_tracking:
raise ValueError(f"Learner {learner_id} not enrolled in any training")
enrollment = self.progress_tracking[learner_id]
# Find the module and update its progress
for module in enrollment['modules']:
if module['module_id'] == module_id:
module['progress'] = progress
if status:
module['status'] = status
if progress == 100 and status in ['completed', 'passed']:
module['completion_date'] = datetime.utcnow().isoformat()
break
else:
raise ValueError(f"Module {module_id} not found in learner's path")
# Calculate overall progress
total_modules = len(enrollment['modules'])
completed_modules = len([m for m in enrollment['modules'] if m['progress'] == 100])
enrollment['overall_progress'] = (completed_modules / total_modules) * 100 if total_modules > 0 else 0
# Update overall status
if enrollment['overall_progress'] == 100:
enrollment['status'] = 'completed'
elif enrollment['overall_progress'] > 0:
enrollment['status'] = 'in_progress'
else:
enrollment['status'] = 'not_started'
return enrollment
def get_learner_progress(self, learner_id: str) -> Dict[str, Any]:
"""
Get progress information for a learner
"""
if learner_id not in self.progress_tracking:
raise ValueError(f"Learner {learner_id} not found in progress tracking")
return self.progress_tracking[learner_id]
def generate_training_report(self, learner_id: str) -> Dict[str, Any]:
"""
Generate a comprehensive training report for a learner
"""
progress = self.get_learner_progress(learner_id)
report = {
'learner_id': learner_id,
'training_path': progress['training_path'],
'start_date': progress['start_date'],
'overall_progress': progress['overall_progress'],
'status': progress['status'],
'modules_completed': len([m for m in progress['modules'] if m['progress'] == 100]),
'modules_in_progress': len([m for m in progress['modules'] if 0 < m['progress'] < 100]),
'modules_not_started': len([m for m in progress['modules'] if m['progress'] == 0]),
'detailed_progress': [
{
'module_id': m['module_id'],
'title': m['module_info'].get('title', ''),
'progress': m['progress'],
'status': m['status'],
'completion_date': m['completion_date']
}
for m in progress['modules']
],
'recommendations': self.generate_recommendations(progress)
}
return report
def generate_recommendations(self, progress: Dict[str, Any]) -> List[str]:
"""
Generate recommendations based on learner progress
"""
recommendations = []
if progress['overall_progress'] < 25:
recommendations.append("Focus on completing foundational modules first")
recommendations.append("Consider additional mentoring support")
if progress['overall_progress'] < 50:
recommendations.append("Establish regular study schedule")
recommendations.append("Join study groups or peer learning sessions")
if progress['overall_progress'] >= 50 and progress['overall_progress'] < 75:
recommendations.append("Maintain consistent progress pace")
recommendations.append("Apply learned concepts to real projects")
if progress['overall_progress'] >= 75:
recommendations.append("Prepare for capstone project")
recommendations.append("Consider mentoring other learners")
# Check for specific module recommendations
incomplete_modules = [m for m in progress['modules'] if m['progress'] < 100]
if incomplete_modules:
next_module = incomplete_modules[0] # Recommend next incomplete module
recommendations.append(f"Complete {next_module['module_info'].get('title', next_module['module_id'])} module")
return recommendations
# Example usage
def run_training_program():
"""
Example of running the security training program
"""
training_program = SecurityTrainingProgram()
# Display available training paths
print("Available Training Paths:")
for path_id, path_info in training_program.training_paths.items():
print(f" {path_info['name']}: {path_info['total_duration']} hours")
print(f" Modules: {', '.join(path_info['modules'])}")
# Enroll a learner
enrollment = training_program.enroll_learner(
learner_id='dev001',
training_path='developer_path'
)
print(f"\nLearner enrolled: {enrollment['learner_id']}")
print(f"Training path: {enrollment['training_path']}")
print(f"Estimated completion: {enrollment['estimated_completion']}")
# Update progress for some modules
training_program.update_module_progress('dev001', 'security_fundamentals', 100, 'completed')
training_program.update_module_progress('dev001', 'secure_coding', 75, 'in_progress')
training_program.update_module_progress('dev001', 'devsecops_tools', 30, 'in_progress')
# Generate report
report = training_program.generate_training_report('dev001')
print(f"\nTraining Progress Report for {report['learner_id']}:")
print(f"Overall Progress: {report['overall_progress']:.1f}%")
print(f"Status: {report['status']}")
print(f"Modules Completed: {report['modules_completed']}")
print(f"Modules In Progress: {report['modules_in_progress']}")
print(f"\nDetailed Progress:")
for module in report['detailed_progress']:
print(f" {module['title']}: {module['progress']}% ({module['status']})")
print(f"\nRecommendations:")
for rec in report['recommendations']:
print(f" - {rec}")
return report
# Run example
# report = run_training_program()Hands-on Security Training
Practical Security Exercises
PYTHON
# Example: Hands-on security training exercises
import subprocess
import tempfile
import os
from typing import Dict, List, Any
import json
class HandsOnSecurityTraining:
"""
Framework for hands-on security training exercises
"""
def __init__(self):
self.exercise_templates = self.define_exercise_templates()
self.vulnerable_apps = self.define_vulnerable_applications()
self.training_scenarios = self.define_training_scenarios()
def define_exercise_templates(self) -> Dict[str, Dict[str, Any]]:
"""
Define templates for different types of security exercises
"""
return {
'vulnerability_identification': {
'name': 'Vulnerability Identification Exercise',
'description': 'Identify security vulnerabilities in code or configuration',
'duration_minutes': 45,
'difficulty': 'beginner_to_intermediate',
'prerequisites': ['security_fundamentals'],
'learning_objectives': [
'Recognize common vulnerability patterns',
'Use security scanning tools',
'Understand vulnerability impact',
'Document findings properly'
],
'steps': [
'Review provided code/configuration',
'Use manual inspection techniques',
'Run automated security tools',
'Document identified vulnerabilities',
'Prioritize findings by severity'
],
'evaluation_criteria': [
'Number of vulnerabilities identified',
'Accuracy of vulnerability classification',
'Quality of documentation',
'Proper prioritization'
]
},
'secure_coding': {
'name': 'Secure Coding Exercise',
'description': 'Fix security vulnerabilities in vulnerable code',
'duration_minutes': 90,
'difficulty': 'intermediate',
'prerequisites': ['secure_coding_principles'],
'learning_objectives': [
'Apply secure coding techniques',
'Fix common vulnerability types',
'Test security fixes',
'Prevent regression of security'
],
'steps': [
'Analyze vulnerable code',
'Identify security issues',
'Implement secure fixes',
'Test fixes for functionality',
'Verify security improvements'
],
'evaluation_criteria': [
'Vulnerabilities properly fixed',
'No functionality broken',
'Security improvements verified',
'Code quality maintained'
]
},
'security_tool_integration': {
'name': 'Security Tool Integration Exercise',
'description': 'Integrate security tools into CI/CD pipeline',
'duration_minutes': 120,
'difficulty': 'intermediate_to_advanced',
'prerequisites': ['devsecops_fundamentals'],
'learning_objectives': [
'Configure security scanning tools',
'Integrate tools into pipelines',
'Set up quality gates',
'Handle scan results effectively'
],
'steps': [
'Set up security tools',
'Configure tool parameters',
'Integrate with CI/CD',
'Configure quality gates',
'Test integration thoroughly'
],
'evaluation_criteria': [
'Tools properly configured',
'Integration successful',
'Quality gates functional',
'Results properly handled'
]
},
'incident_response_simulation': {
'name': 'Incident Response Simulation',
'description': 'Respond to simulated security incident',
'duration_minutes': 180,
'difficulty': 'intermediate_to_advanced',
'prerequisites': ['incident_response_fundamentals'],
'learning_objectives': [
'Follow incident response procedures',
'Contain security incidents',
'Preserve evidence',
'Communicate effectively during incidents'
],
'steps': [
'Detect incident indicators',
'Activate response procedures',
'Contain the incident',
'Eradicate threat',
'Recover and restore'
],
'evaluation_criteria': [
'Procedures followed correctly',
'Incident contained effectively',
'Evidence preserved',
'Communication handled properly'
]
}
}
def define_vulnerable_applications(self) -> Dict[str, Dict[str, Any]]:
"""
Define vulnerable applications for training exercises
"""
return {
'webgoat': {
'name': 'WebGoat',
'description': 'Deliberately insecure Web Application',
'type': 'web_application',
'vulnerabilities': [
'SQL Injection',
'Cross-Site Scripting (XSS)',
'Insecure Deserialization',
'Authentication Bypass',
'Access Control Issues'
],
'setup_instructions': 'docker run -p 8080:8080 -p 9090:9090 webgoat/goatandwolf',
'learning_focus': 'Web application security testing and remediation'
},
'juice_shop': {
'name': 'OWASP Juice Shop',
'description': 'Vulnerable Web Application',
'type': 'web_application',
'vulnerabilities': [
'Injection Flaws',
'Broken Authentication',
'Sensitive Data Exposure',
'XML External Entities',
'Broken Access Control'
],
'setup_instructions': 'docker run -p 3000:3000 bkimminich/juice-shop',
'learning_focus': 'Practical penetration testing and vulnerability remediation'
},
'vulnerable_node_app': {
'name': 'Vulnerable Node.js Application',
'description': 'Node.js application with common security flaws',
'type': 'web_application',
'vulnerabilities': [
'Prototype Pollution',
'Server-Side Request Forgery',
'Insecure Deserialization',
'Command Injection',
'NoSQL Injection'
],
'setup_instructions': 'git clone https://github.com/cliffe/secureshop && cd secureshop && npm install && npm start',
'learning_focus': 'Node.js specific security issues and fixes'
},
'insecure_kubernetes': {
'name': 'Insecure Kubernetes Setup',
'description': 'Kubernetes cluster with security misconfigurations',
'type': 'container_orchestration',
'vulnerabilities': [
'Privileged Containers',
'Insecure RBAC Configuration',
'Weak Network Policies',
'Unencrypted Secrets',
'Permissive Admission Controllers'
],
'setup_instructions': 'kind create cluster --config insecure-cluster.yaml',
'learning_focus': 'Kubernetes security configuration and hardening'
}
}
def define_training_scenarios(self) -> Dict[str, Dict[str, Any]]:
"""
Define realistic training scenarios
"""
return {
'scenario_1': {
'title': 'E-commerce Application Security Review',
'description': 'Review and secure a new e-commerce application',
'context': 'Company is launching new e-commerce platform, needs security review before production',
'vulnerabilities_to_find': [
'SQL Injection in product search',
'Weak authentication mechanism',
'Insecure direct object references',
'Missing input validation',
'Insufficient logging'
],
'time_limit': 180, # minutes
'success_criteria': [
'All critical vulnerabilities identified',
'Security recommendations provided',
'Risk assessment completed',
'Remediation plan created'
],
'tools_to_use': ['static_analysis', 'dynamic_analysis', 'dependency_scanner'],
'deliverables': ['vulnerability_report', 'remediation_plan', 'risk_assessment']
},
'scenario_2': {
'title': 'CI/CD Security Pipeline Implementation',
'description': 'Implement security scanning in existing CI/CD pipeline',
'context': 'Development team wants to add security scanning to their existing pipeline',
'requirements': [
'SAST scanning integration',
'Dependency vulnerability scanning',
'Container image scanning',
'Security quality gates',
'Automated reporting'
],
'time_limit': 240, # minutes
'success_criteria': [
'All tools integrated successfully',
'Quality gates functioning',
'False positive management',
'Team training completed',
'Documentation provided'
],
'tools_to_use': ['sast_tool', 'sca_tool', 'container_scanner', 'pipeline_automation'],
'deliverables': ['integrated_pipeline', 'configuration_documentation', 'team_training_material']
},
'scenario_3': {
'title': 'Security Incident Response',
'description': 'Respond to a simulated security breach',
'context': 'Security monitoring detected suspicious activity, possible data breach',
'incident_type': 'data_breach',
'severity': 'high',
'time_limit': 360, # minutes
'success_criteria': [
'Incident properly classified',
'Appropriate response procedures followed',
'Evidence properly preserved',
'Stakeholders appropriately notified',
'Lessons learned documented'
],
'response_phases': ['detection', 'containment', 'eradication', 'recovery', 'lessons_learned'],
'deliverables': ['incident_report', 'forensic_analysis', 'improvement_plan']
}
}
def setup_exercise_environment(self, exercise_type: str, learner_id: str) -> Dict[str, Any]:
"""
Set up environment for a specific exercise
"""
# Create temporary directory for the exercise
temp_dir = tempfile.mkdtemp(prefix=f"security_exercise_{learner_id}_")
setup_info = {
'exercise_type': exercise_type,
'learner_id': learner_id,
'environment_path': temp_dir,
'setup_timestamp': '2023-12-01T10:00:00Z',
'status': 'setup_complete',
'access_instructions': f'cd {temp_dir}',
'cleanup_required': True
}
# Set up specific environment based on exercise type
if exercise_type == 'vulnerability_identification':
self._setup_vulnerability_identification_env(temp_dir)
elif exercise_type == 'secure_coding':
self._setup_secure_coding_env(temp_dir)
elif exercise_type == 'security_tool_integration':
self._setup_tool_integration_env(temp_dir)
elif exercise_type == 'incident_response_simulation':
self._setup_incident_response_env(temp_dir)
return setup_info
def _setup_vulnerability_identification_env(self, temp_dir: str):
"""
Set up environment for vulnerability identification exercise
"""
# Create sample vulnerable code files
vulnerable_code = '''
// Vulnerable code example - SQL Injection
app.get('/user/:id', (req, res) => {
const userId = req.params.id;
// VULNERABLE: Direct use of user input in query
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query, (err, results) => {
if (err) throw err;
res.json(results);
});
});
// Another vulnerability - XSS
app.get('/search', (req, res) => {
const searchTerm = req.query.term;
// VULNERABLE: Unsanitized user input in response
res.send(`<div>Search results for: ${searchTerm}</div>`);
});
'''
with open(os.path.join(temp_dir, 'vulnerable_app.js'), 'w') as f:
f.write(vulnerable_code)
def _setup_secure_coding_env(self, temp_dir: str):
"""
Set up environment for secure coding exercise
"""
# Create vulnerable code that needs to be fixed
fixable_code = '''
// Code with security vulnerabilities - needs fixing
const express = require('express');
const app = express();
// Vulnerability 1: SQL Injection
app.get('/user/:id', (req, res) => {
const userId = req.params.id;
const query = `SELECT * FROM users WHERE id = ${userId}`; // FIX NEEDED
db.query(query, (err, results) => {
res.json(results);
});
});
// Vulnerability 2: XSS
app.get('/welcome', (req, res) => {
const name = req.query.name;
res.send(`Welcome ${name}!`); // FIX NEEDED
});
// Vulnerability 3: Hardcoded credentials
const dbConfig = {
host: 'localhost',
user: 'admin',
password: 'supersecret123' // FIX NEEDED
};
// TODO: Fix all security vulnerabilities above
'''
with open(os.path.join(temp_dir, 'fixable_app.js'), 'w') as f:
f.write(fixable_code)
# Create instructions file
instructions = '''
Security Coding Exercise Instructions:
Your task is to fix the security vulnerabilities in fixable_app.js:
1. Fix SQL Injection vulnerability in the /user/:id endpoint
2. Fix XSS vulnerability in the /welcome endpoint
3. Fix hardcoded credentials issue
4. Add proper input validation and sanitization
5. Test that functionality still works after fixes
Submit your fixed code in fixed_app.js
'''
with open(os.path.join(temp_dir, 'instructions.txt'), 'w') as f:
f.write(instructions)
def _setup_tool_integration_env(self, temp_dir: str):
"""
Set up environment for tool integration exercise
"""
# Create sample application to secure
sample_app = '''
# Sample Python Flask application
from flask import Flask, request, jsonify
import sqlite3
app = Flask(__name__)
@app.route('/api/users/<int:user_id>')
def get_user(user_id):
conn = sqlite3.connect('users.db')
cursor = conn.cursor()
# Vulnerable query - needs security scanning
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
user = cursor.fetchone()
conn.close()
return jsonify(user)
if __name__ == '__main__':
app.run(debug=True)
'''
with open(os.path.join(temp_dir, 'app.py'), 'w') as f:
f.write(sample_app)
# Create requirements file
requirements = '''
flask==2.3.2
pylint==2.17.4
bandit==1.7.5
'''
with open(os.path.join(temp_dir, 'requirements.txt'), 'w') as f:
f.write(requirements)
# Create CI/CD pipeline file
pipeline = '''
name: CI/CD with Security
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
# TODO: Add security scanning tools here
# - Run SAST scan
# - Run dependency scan
# - Run container scan (if applicable)
# - Set up security quality gates
# - Generate security reports
'''
with open(os.path.join(temp_dir, 'pipeline.yml'), 'w') as f:
f.write(pipeline)
def _setup_incident_response_env(self, temp_dir: str):
"""
Set up environment for incident response simulation
"""
# Create incident scenario data
scenario_data = {
'incident_id': 'INC-20231201-001',
'timestamp': '2023-12-01T09:30:00Z',
'severity': 'high',
'type': 'suspicious_login_activity',
'description': 'Multiple failed login attempts followed by successful login from unusual location',
'affected_systems': ['web_server_001', 'db_server_001'],
'evidence': [
{'timestamp': '2023-12-01T09:25:15Z', 'event': 'Failed login attempt from 192.168.1.100'},
{'timestamp': '2023-12-01T09:25:18Z', 'event': 'Failed login attempt from 192.168.1.100'},
{'timestamp': '2023-12-01T09:25:22Z', 'event': 'Successful login from 192.168.1.100'},
{'timestamp': '2023-12-01T09:26:15Z', 'event': 'Unusual data access pattern detected'}
],
'affected_users': ['user001', 'user002'],
'initial_containment': 'network_isolation_of_affected_systems'
}
with open(os.path.join(temp_dir, 'incident_scenario.json'), 'w') as f:
json.dump(scenario_data, f, indent=2)
# Create incident response procedures
procedures = '''
Incident Response Procedures:
Phase 1: Detection and Analysis
- Review security alerts and logs
- Determine scope and impact
- Classify incident type and severity
Phase 2: Containment, Eradication, and Recovery
- Isolate affected systems
- Remove threat from systems
- Restore systems from clean backups
- Verify system integrity
Phase 3: Post-Incident Activity
- Document incident details
- Conduct lessons learned session
- Update security controls
- Communicate with stakeholders
'''
with open(os.path.join(temp_dir, 'response_procedures.txt'), 'w') as f:
f.write(procedures)
def evaluate_exercise_completion(self, learner_id: str, exercise_type: str, submission_path: str) -> Dict[str, Any]:
"""
Evaluate learner's completion of an exercise
"""
evaluation = {
'learner_id': learner_id,
'exercise_type': exercise_type,
'submission_path': submission_path,
'evaluation_timestamp': '2023-12-01T12:00:00Z',
'criteria_evaluated': [],
'overall_score': 0,
'feedback': [],
'recommendations': []
}
# Evaluate based on exercise type
if exercise_type == 'vulnerability_identification':
evaluation = self._evaluate_vulnerability_identification(learner_id, submission_path, evaluation)
elif exercise_type == 'secure_coding':
evaluation = self._evaluate_secure_coding(learner_id, submission_path, evaluation)
elif exercise_type == 'security_tool_integration':
evaluation = self._evaluate_tool_integration(learner_id, submission_path, evaluation)
elif exercise_type == 'incident_response_simulation':
evaluation = self._evaluate_incident_response(learner_id, submission_path, evaluation)
return evaluation
def _evaluate_vulnerability_identification(self, learner_id: str, submission_path: str, evaluation: Dict[str, Any]) -> Dict[str, Any]:
"""
Evaluate vulnerability identification exercise
"""
# Check if submission contains vulnerability report
report_path = os.path.join(submission_path, 'vulnerability_report.txt')
if os.path.exists(report_path):
with open(report_path, 'r') as f:
report_content = f.read()
# Simple check for vulnerability mentions
vulnerabilities_mentioned = 0
for vuln_type in ['SQL Injection', 'XSS', 'Authentication Bypass']:
if vuln_type.lower() in report_content.lower():
vulnerabilities_mentioned += 1
evaluation['criteria_evaluated'].append({
'criterion': 'vulnerabilities_identified',
'score': min(vulnerabilities_mentioned * 20, 100), # 20 points per vulnerability, max 100
'details': f'Identified {vulnerabilities_mentioned} out of expected vulnerabilities'
})
evaluation['overall_score'] = sum(c['score'] for c in evaluation['criteria_evaluated'])
evaluation['feedback'] = ['Good identification of common vulnerabilities', 'Consider adding more detail on remediation steps']
evaluation['recommendations'] = ['Practice with more complex vulnerability scenarios', 'Learn to use automated scanning tools']
return evaluation
# Example usage
def run_hands_on_training():
"""
Example of running hands-on security training
"""
training = HandsOnSecurityTraining()
print("Available Exercise Types:")
for ex_id, ex_info in training.exercise_templates.items():
print(f" {ex_info['name']} ({ex_info['duration_minutes']} min) - {ex_info['difficulty']}")
print(f"\nAvailable Vulnerable Applications:")
for app_id, app_info in training.vulnerable_apps.items():
print(f" {app_info['name']}: {app_info['description']}")
print(f"\nAvailable Training Scenarios:")
for scen_id, scen_info in training.training_scenarios.items():
print(f" {scen_info['title']}: {scen_info['description']}")
# Set up an exercise environment
env_info = training.setup_exercise_environment('secure_coding', 'learner001')
print(f"\nExercise environment set up at: {env_info['environment_path']}")
return env_info
# Run example
# env_info = run_hands_on_training()Security Champions Program
Establishing Security Champions
Security Champion Role Definition
PYTHON
# Example: Security champions program framework
from datetime import datetime
from typing import Dict, List, Any
import json
class SecurityChampionsProgram:
"""
Framework for establishing and managing a security champions program
"""
def __init__(self):
self.champion_roles = self.define_champion_roles()
self.champion_responsibilities = self.define_responsibilities()
self.champion_selection_criteria = self.define_selection_criteria()
self.champion_training_path = self.define_champion_training()
self.program_metrics = self.define_program_metrics()
def define_champion_roles(self) -> Dict[str, Dict[str, Any]]:
"""
Define different levels and types of security champions
"""
return {
'team_security_champion': {
'level': 'team',
'responsibilities': [
'Review security aspects of team deliverables',
'Facilitate security discussions in team meetings',
'Mentor team members on security practices',
'Act as liaison between team and security organization',
'Ensure security requirements are met in development'
],
'time_commitment': '20%', # percentage of time
'reporting_structure': 'team_lead',
'required_skills': [
'Basic security knowledge',
'Communication skills',
'Development experience',
'Willingness to learn'
]
},
'domain_security_champion': {
'level': 'domain',
'responsibilities': [
'Oversee security practices across multiple teams',
'Coordinate security initiatives within domain',
'Provide advanced security guidance',
'Represent domain in security working groups',
'Drive security architecture decisions'
],
'time_commitment': '40%',
'reporting_structure': 'domain_architect',
'required_skills': [
'Advanced security knowledge',
'Leadership skills',
'Architecture experience',
'Cross-team collaboration'
]
},
'community_security_champion': {
'level': 'organization',
'responsibilities': [
'Drive organization-wide security initiatives',
'Mentor other security champions',
'Contribute to security tools and processes',
'Represent organization at security events',
'Shape security strategy and policy'
],
'time_commitment': '60%',
'reporting_structure': 'ciso',
'required_skills': [
'Expert security knowledge',
'Strategic thinking',
'Influence without authority',
'External representation'
]
}
}
def define_responsibilities(self) -> Dict[str, List[str]]:
"""
Define core responsibilities for security champions
"""
return {
'technical_responsibilities': [
'Review security aspects of architecture decisions',
'Conduct security code reviews',
'Validate security test coverage',
'Ensure secure configuration management',
'Monitor security scanning results',
'Implement security tool integrations',
'Assist in vulnerability remediation'
],
'communication_responsibilities': [
'Facilitate security discussions',
'Share security knowledge with team',
'Communicate security requirements',
'Report security metrics and issues',
'Participate in security working groups',
'Provide feedback on security tools/processes'
],
'training_responsibilities': [
'Mentor team members on security',
'Conduct security awareness sessions',
'Share lessons learned from incidents',
'Promote security best practices',
'Encourage security training participation',
'Create security documentation'
],
'process_responsibilities': [
'Ensure security gates are met',
'Improve security processes',
'Participate in security assessments',
'Support incident response activities',
'Maintain security knowledge base',
'Contribute to security policies'
]
}
def define_selection_criteria(self) -> Dict[str, Dict[str, Any]]:
"""
Define criteria for selecting security champions
"""
return {
'technical_criteria': {
'development_experience': {
'minimum_years': 2,
'weight': 0.25
},
'security_knowledge': {
'assessment_required': True,
'minimum_score': 70, # out of 100
'weight': 0.30
},
'tool_proficiency': {
'required_tools': ['git', 'ci/cd', 'basic_security_scanners'],
'weight': 0.15
}
},
'soft_skills_criteria': {
'communication_skills': {
'assessment_method': 'interview',
'minimum_rating': 3, # out of 5
'weight': 0.20
},
'leadership_potential': {
'assessment_method': 'peer_feedback',
'minimum_rating': 3, # out of 5
'weight': 0.10
}
}
}
def define_champion_training(self) -> Dict[str, Any]:
"""
Define comprehensive training path for security champions
"""
return {
'onboarding_training': {
'duration_weeks': 4,