Security training for developers (annual)
Demonstrate that all personnel with software development responsibilities receive documented security training at least annually, with training content aligned to secure coding principles and the organization's technology stack.
Description
What this control does
This control requires that software developers, engineers, and other personnel who write, review, or maintain application code complete annual security training focused on secure coding practices, common vulnerabilities, and secure development lifecycle principles. Training typically covers topics such as OWASP Top 10, injection flaws, authentication weaknesses, cryptographic failures, secure API design, and platform-specific security features. The control reduces the likelihood that developers introduce exploitable vulnerabilities during the software development process and ensures awareness of emerging attack vectors.
Control objective
What auditing this proves
Demonstrate that all personnel with software development responsibilities receive documented security training at least annually, with training content aligned to secure coding principles and the organization's technology stack.
Associated risks
Risks this control addresses
- Developers introduce SQL injection, cross-site scripting, or other OWASP Top 10 vulnerabilities due to lack of awareness of secure coding practices
- Insecure authentication or authorization logic is implemented because developers are unfamiliar with framework-specific security controls
- Sensitive data is stored or transmitted insecurely due to developer misunderstanding of cryptographic requirements
- Third-party libraries with known vulnerabilities are integrated because developers lack training on dependency risk management
- APIs expose excessive data or lack proper input validation because developers are unaware of API security best practices
- Code review processes fail to identify security weaknesses because reviewers lack training on vulnerability patterns
- Developers inadvertently commit secrets, credentials, or sensitive configuration data to version control systems due to insufficient security awareness
Testing procedure
How an auditor verifies this control
- Obtain a complete roster of personnel with developer or software engineering job functions, including contractors and DevOps engineers with code commit privileges.
- Request training records for the most recent 12-month period showing completion dates, participant names, and training topics or course titles.
- Select a representative sample of at least 15-20 developers spanning different teams, seniority levels, and technology stacks.
- Verify that each sampled developer completed security training within the past 12 months by cross-referencing training system records, certificates of completion, or LMS exports.
- Review the training curriculum or course content to confirm coverage of secure coding principles, common vulnerability classes, and defensive programming techniques relevant to the organization's development platforms.
- Interview 3-5 developers to assess practical understanding of key concepts such as input validation, parameterized queries, secure session management, and secrets management.
- Examine new hire onboarding documentation to confirm security training is included in the developer onboarding process for personnel hired mid-cycle.
- Review remediation evidence for any sampled developers who did not complete training on schedule, including documentation of exceptions, late completions, or role changes.
Where this control is tested