Re: [SC-L] Software Security Training for Developers
Hi Chris, We at Security Compass have been doing that for developers for about 2 years now. We have done this type of training and also the training from the pen tester angle. Some of the things that we have seem make this training much more effective are [] If the direction for the training and security initiative is coming in from the top rather than just from one manager (not to say that having it from one manager doesn't help) [] If there are some general policy and guidelines to building secure software [] If there are general guidelines to build secure architecture [] if there are though processes in place for updating the existing SDLC with security in place to improve the overall direction of the company towards a more secure application development practice [] Finally if the training is developed around these kind of practices and customized to your specific environment. We also think providing different kinds of training for different levels of people is important, i.e. a training for managers, a training for architects, a training for QA/Security professionals and finally a training for developers. Each has a specific goal in mind and speaking in the individual language so to speak to each group. Hope this helps, If you would like to chat more just email me. Nish. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCown, Christian M Sent: Thursday, August 16, 2007 7:23 PM To: sc-l@securecoding.org Subject: [SC-L] Software Security Training for Developers What are folks' experiences with software security training for developers? By this, I'm referring to teaching developers how to write secure code. Ex. things like how to actually code input validation routines, what evil functions and libraries to avoid, how to handle exceptions without divulging too much info, etc. Not how to hack applications. There are quality courses and training that show you how to break into apps--which are great, but my concern is that if you are a developer (vs. a security analyst, QA type, pen-tester, etc.),even when you know what could happen, unless you've been specifically taught how to implement these concepts in your language/platform of choice (ASP .NET, C#, Java, etc.), you're not getting the most bang for the buck from them. What vendors teach it? How much does it cost? Actual impact realized? Tx Chris McCown, GSEC(Gold) Intel Corporation * (916) 377-9428 | * mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insider threats and software {darkreading thread}
Hi all, As is often the case with these darkreading things, we have two discussion threads going. Those of you interested in a very well thought out counter argument to my position should read kevin's excellent posting on darkreading. http://www.darkreading.com/boards/messages.asp?thread_id=165118msg_id=147279t=true#msg_147279 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -Original Message- From: Wall, Kevin [mailto:[EMAIL PROTECTED] Sent: Friday, August 17, 2007 1:38 AM To: Gary McGraw Subject: Posted thread on your Dark Reading column (was RE: [SC-L] Insider threats and software) Hi Gary, Our Exchange server was down for awhile so rather than posting a reply to your post on SC-L, I simply created a reply thread on your Dark Reading column. Given that, I'm not sure that it's worth posting to SC-L too. Give it a read and see what you think. Or maybe they could just be referred to the URL if you think it actually contributes anything of value. Cheers (or is that beers?), -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED]Phone: 614.215.4788 The reason you have people breaking into your software all over the place is because your software sucks... -- Former White House cyber-security adviser, Richard Clarke, at eWeek Security Summit This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software Security Training for Developers
Hi Chris, My experience is that, like most engineers, most software developers want to improve their skills and that, as a group, they hate making easily-avoidable mistakes of any sort. Training that focuses on reinforcing their existing skills in design and development and then works methodically to give them the extra layer of knowledge to make the code not only function, but also behave with respect to security, is almost always well received. Any training that comes across as, You're doing it wrong, stop everything and do it this way will almost always be ignored. No one has time for that. Internal groups and others who are getting started in developer training tend to create bug parade kinds of materials. You'll see slide after slide of five-line code snippets while the instructor says That's wrong, don't do that. That kind of mistake detection is often so easily automatable these days, that buying or building training for it, and taking all your developers out of action for a day or two to run through it, may not be the best choice. As you alluded to, we need to teach developers how to actually write secure code. The problem, however, is that the march of development methods, languages, frameworks, architectures, and so on means there usually cannot be a single approach for, by way of example, coding input validation routines. On the whole, the industry is at the stage where we need to teach developers to recognize situations where security goes here, and give them the reasoning skills and prescriptive guidance to code their way out of the problem in their particular environment. This kind of defensive programming training seems to be most valuable these days and it takes real experience and real experts to create and deliver such material. Meanwhile, it takes more than educated developers to produce software that behaves appropriately in the face of attack. The requirements people also need some help and it's unlikely the business analysts, the architects, and the testers are sufficiently considering the non-functional security aspects of the thing they are trying to bring to life. Of cause, the operations folks also need to understand their part in the secure software lifecycle. In addition, executives need to understand how to govern and managers need to understand how to facilitate. By way of full disclosure, I've spent a great deal of time building such a cross-cutting curriculum at Cigital, which we've delivered to a variety of financial services, independent software vendor, and other organizations. As for pricing, I've seen everything from a few hundred dollars per person for material you could effectively download yourself to $12,000 or more per day for a few slides and one big exercise that may have nothing to do with a group's particular needs. I've also seen a few examples of some really good stuff that just speaks to me. Organizations must make sure they're getting an instructor that thoroughly understands the material and that they've worked with the training provider to ensure the material is appropriately customized to their needs. Effectiveness is in the eye of the beholder. The actual impact of developer training alone may take months to show up in even the most mature dashboard. More broad training across each of the key roles, appropriately supported by prescriptive guidance and automation, has historically shown a recognizable impact (e.g., finding many more security-related bugs much earlier in the SDLC) much more quickly. I recently put together some (long) thoughts on an approach for training. You can see them at http://www.cigital.com/justiceleague/2007/06/25/training-material-training-and-behavior-modification-part-1-of-3-%e2%80%93-training-material/. --Sammy. Sammy Migues Director, Knowledge Management and Training 703.404.5830 - http://www.cigital.comhttp://www.cigital.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCown, Christian M Sent: Thursday, August 16, 2007 7:23 PM To: sc-l@securecoding.org Subject: [SC-L] Software Security Training for Developers What are folks' experiences with software security training for developers? By this, I'm referring to teaching developers how to write secure code. Ex. things like how to actually code input validation routines, what evil functions and libraries to avoid, how to handle exceptions without divulging too much info, etc. Not how to hack applications. There are quality courses and training that show you how to break into apps--which are great, but my concern is that if you are a developer (vs. a security analyst, QA type, pen-tester, etc.),even when you know what could happen, unless you've been specifically taught how to implement these concepts in your language/platform of choice (ASP .NET, C#, Java, etc.), you're not getting the most bang for the buck from them. What vendors teach it? How
