We're often asked how large software companies can train their developers and testers in application security. We find a two step approach yields best results if your team is too large to train everybody on security:
A basic Security Awareness Workshop for the entire development team
An advanced Security Boot Camp for a smaller team
The awareness workshop can be a 2 - 3 hour program that illustrates the threats to applications, and the origin of vulnerabilities. It ensures that all team members are familiar with the risks and recognize the importance of safer coding practices. The objective of the Boot Camp is to quickly inject vital security expertise into the veins of the organization. A team of designers, developers and testers from different groups should be brought together for this more intense training program. After the Boot Camp, the participants become champions for spreading the security knowledge within the team. We describe this in greater detail in Training your Developers. We also share our strategies for training security testers in the Palisade interview What works in Training Security Testers. What has been your experience?