Re: Security Education in the Workplace

Dana,

I think you're exactly right that developer education and training are critical to better code. I can't speak to the Microsoft training program, but we've been offering a web application developer security course for several years. I think it's very effective to train a whole team for a few days at the start of a project so that everyone is aware of the issues. Frequently we draft up a short application security policy to capture how that project will deal with security issues.

I think it is most effective to teach security in a particular context, such as web applications, as opposed to a generic secure programming course. Web applications have many of the same security problems as other types of code, but they have their own peculiarities and interpretations too. In any case, I think the curriculum for a developer's web application security course ought to at least address:

• how to use security mechanisms correctly (authentication, access control, encryption, logging, etc...)
• how to avoid security vulnerabilities in all of the code (parameter validation, error handling, result checking, etc...)
• demonstrations and hands-on with real hacker tools (nmap, nessus, achilles, spike, nikto, etc...)
• on-line practice with a real flawed web application (this is why we donated WebGoat to OWASP)

I like to include design patterns and pseudo code for approaching typical web application security issues, including how to avoid common pitfalls. I even mix in a little security theory when I think it'll help. It definitely helps to provide developers with real examples from actual code reviews and penetration tests. And this type of training definitely works -- I've had developers get up and rush out of class to go fix their code!

--Jeff

Jeff Williams, CEO
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
www.aspectsecurity.com

• Original Message ----- From: Dana Epp To: Michael Howard ; secprog@securityfocus.com Sent: Tuesday, November 26, 2002 7:41 PM Subject: Security Education in the Workplace

With all the talk of development libraries one common thread has continued
to pop up with which there has been little debate. And that is that the weakest link is the human factor, and that better education is required. In
many cases, the question not answered is how do we do this in the corporate
environment, educating existing developers.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I don't want to single out any one person as we have all had/have to deal
with this in our own teams. But with Microsoft's latest push on better code
quality with a "security-oriented developer's boot camp" I am wondering if
anyone from the Secure Windows Initiative or the Trustworthy Computing arena
at the campus would like to share with us the approach that was taking for
the Microsoft boot camp. I need to apologize immediately to Michael as I have cc'd him on this as he is one of the few people at the Microsoft campus
that can speak authoritatively on such endeavours, but unsure what the corporate policy would be on divulging this sort of information. ( Michael,
I'll buy you a beer next time I am in Seattle and you can chastise me then
:-P )

So how about it? Instead of continuing to beat a dead horse about the length
of pointers and the power of the sizeof op (*sigh* will guys ever get over
that... this discussion has been going on since the 80's ;-) ) perhaps we
could have a constructive thread on approaches used in existing teams to "re-educate" them. Now, we could of course spew forth material from books
like "Writing Secure Code", "Security Engineering" and the likes but I would
be more interested in the real world application to educate existing developers. It would be interesting to see what sort of materials the "MS
Boot camp" used, but can fully understand if they would not wish to disclose
such information. More to the point, I bet a lot of us would be interested
in how other work places have gone about doing this. Not just Microsoft.

On top of that, this may help Michael with the Security Education thread he
had about real world examples. Outside of understanding the real world application of knowing how to use the sizeof of (oh hell.. now I am hanging
on about it.. shame on me) perhaps techniques taught in the work place could
be applied to examples that could be placed in good books like WSC.

Feel free to fire the flames to /dev/null. All other constructive criticisms
on why this would or would not be a good idea are welcomed. If we get enough
good feedback I would love to publish this information on the web for others
to read in the future. Including some of the good examples we may be able to
cultivate from this.

---
Regards,
Dana M. Epp