Hi Chris,


We at Security Compass have been doing that for developers for about 2 years
now. We have done this type of training and also the training from the pen
tester angle. 


Some of the things that we have seem make this training much more effective


[] If the direction for the training and security initiative is coming in
from the top rather than just from one manager (not to say that having it
from one manager doesn't help)

[] If there are some general policy and guidelines to building secure

[] If there are general guidelines to build secure architecture

[] if there are though processes in place for updating the existing SDLC
with security in place to improve the overall direction of the company
towards a more secure application development practice

[] Finally if the training is developed around these kind of practices and
customized to your specific environment.


We also think providing different kinds of training for different levels of
people is important, i.e. a training for managers, a training for
architects, a training for QA/Security professionals and finally a training
for developers. Each has a specific goal in mind and speaking in the
individual language so to speak to each group.


Hope this helps, If you would like to chat more just email me.





On Behalf Of McCown, Christian M
Sent: Thursday, August 16, 2007 7:23 PM
To: sc-l@securecoding.org
Subject: [SC-L] Software Security Training for Developers



What are folks' experiences with software security training for developers?
By this, I'm referring to teaching developers how to write secure code.  Ex.
things like how to actually code input validation routines, what "evil"
functions and libraries to avoid, how to handle exceptions without divulging
too much info, etc.  Not "how to hack applications".  There are quality
courses and training that show you how to break into apps--which are great,
but my concern is that if you are a developer (vs. a security analyst, QA
type, pen-tester, etc.),even when you know what could happen, unless you've
been specifically taught how to implement these concepts  in your
language/platform of choice (ASP .NET, C#, Java, etc.), you're not getting
the most bang for the buck from them.


What vendors teach it? 
How much does it cost? 
Actual impact realized? 


Chris McCown, GSEC(Gold) 
Intel Corporation 
* (916) 377-9428 | *  <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] 

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to