There are a number of key components to the algorithm that determines your Secure Code Warrior Trust Score, as outlined in our explainer article here. Because the Trust Score takes into account many different signals of developer comprehension of key security topics, it can be challenging to identify where you should focus your efforts to help improve your organisation's score, and by doing so, improve your overall application security posture.
This article explains how to use the different visualizations in the Trust Score report to identify the biggest opportunities for improvement amongst each key component:
- Onboarding: new learners begin to drag down the company score if they don't complete activities on the platform within 6 months of being onboarded.
-
Recency of learning: skills fade most in the 2nd year after completing each activity. After 2 years, learners need a refresher.
-
Breadth: how much of the relevant security standard (e.g. OWASP Top 10 for Web) the learner has covered.
-
Depth: the range of activities completed to learn about each concept/vulnerability.
1. Onboarding
Use the 'Learner skill level distribution' chart to focus on the grey colored group, that have never completed any learning activities on the SCW platform.
If this is a significant chunk of learners (for example, if this number is greater than 10% of your overall userbase, or if this bar is taller than most/all the other bars in this chart) then there is likely a strong opportunity to improve your overall score by getting this group of leaners up and running.
This company will improve their score if these 370 enabled learners log in and get started on their Secure Code learning journey.
To identify these learners for any further action you may want to take outside of SCW, you can export the Learner List table and filter using the 'Last Completed Activity' column.
2. Learning recency (also known as Skill Fade)
Use the 'Learner skill level distribution' chart to focus on the red, orange and yellow colored sections of the chart.
The yellow and orange sections, where learners last completed any learning activity 12-18 months and 18-24 months ago respectively, are rapidly losing skill level and will cause your overall skill level to drop further in the coming months if they do not re-engage with the SCW platform.
The red section, learners who last completed any activity over 2 years ago, have now lost all their previously earned skill level, and are dragging down your overall Company Trust Score.
Without getting learners back on the platform, this company's score will continue to erode rapidly over the next 12 months, as the yellow group turns to orange and red, and their scores fade faster towards 0.
3. Breadth of content covered
Use the 'Learner skill level distribution' chart to focus on the green colored section of the chart. If most of the chart is green, but the distribution of scores is clustered closer to the left of the chart than the right, then you have identified an opportunity to improve either the Breadth or the Depth of content your learners are covering.
This company needs to look at the breadth and depth of content being covered by their learners, to best identify how to improve their scores.
To do this, first we need to look at what kind of developers we have, to work out where the opportunities to provide more breadth or depth in learning content are.
Use the 'Role distribution' chart to identify which developer roles to focus on. Typically, 'Full Stack' is the most common developer role, which is determined by the languages they used the most in SCW.
This company should first look to improve content coverage amongst their Full Stack developers.
Each developer's skill level is determined by assessing the content they have covered, against the set of vulnerabilities topics that are relevant to that role - eg: Full Stack = OWASP Top 10 for Web 2021, Frontend = SCW Frontend Top 5, etc.
Use the 'Vulnerability concept coverage' table to select the developer role that has the largest group amongst your user base. Looking down the list of categories in the table, Breadth of content covered refers to how many of the concepts in the list have been covered.
If you see that many of the concepts listed for the role you have selected have 0 or very low coverage, consider assigning learners in this role more content to complete in these different categories.
4. Depth of content covered
Use the 'Vulnerability concept coverage' table to select the developer role that has the largest group amongst your user base. Looking down the list of categories in the table, Depth of content covered refers to how many activities of different types have been covered in each topic. Typically, achieving a high depth of content covered in a given topic requires exploring all the different activity types available: Guidelines, Videos, Missions, Challenges and Coding Labs.
If you see that a particular topic that has lower coverage compared to the others, consider assigning learners in this role different types of activities to complete in this category.
Comments
0 comments
Please sign in to leave a comment.