The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16780	APP2120	SV-17780r1_rule	PRTN-1	Medium

Description
Well trained IT personnel are the first line of defense against attacks or disruptions to the information system. Lack of sufficient training can lead to security oversights thereby, leading to compromise or failure to take necessary actions to prevent disruptions to operations.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17757r1_chk )
Detailed Policy requirements: The Program Manager will ensure all levels of program management receive security training regarding the necessity, impact, and benefits of integrating secure development practices into the development lifecycle. The Program Manager will ensure designers are provided training on secure design principles for the entire SDLC and newly discovered vulnerability types on, at least, an annual basis. The Program Manager will ensure developers are provided with training on secure design and coding practices on, at least, an annual basis. The Program Manager will ensure testers are provided training on at least an annual basis. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Interview the application representative and ask for evidence of security training for application managers, designers, developers, and testers. Examples of evidence include course completion certificates and a class roster. At a minimum, security training should include Security Awareness Training. 1) If there is no evidence of security training, it is a finding.

Check Text ( C-17757r1_chk )

Detailed Policy requirements:

The Program Manager will ensure all levels of program management receive security training regarding the necessity, impact, and benefits of integrating secure development practices into the development lifecycle.

The Program Manager will ensure designers are provided training on secure design principles for the entire SDLC and newly discovered vulnerability types on, at least, an annual basis.

The Program Manager will ensure developers are provided with training on secure design and coding practices on, at least, an annual basis.

The Program Manager will ensure testers are provided training on at least an annual basis.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

Interview the application representative and ask for evidence of security training for application managers, designers, developers, and testers. Examples of evidence include course completion certificates and a class roster. At a minimum, security training should include Security Awareness Training.

1) If there is no evidence of security training, it is a finding.

Fix Text (F-16977r1_fix)
Provide security training for managers, designers, developers, and testers.