Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secprog > 02 > 120124.html (Request Expert securityfocus.com Support)

Re: Security Education in the Workplace

From: Dana Epp <dana(at)vulscan.com>
Date: Tue Dec 03 2002 - 19:18:57 EST

Well, I don't think I can speak for everyone on the list on this one. Most have been pretty quiet on this so I am unsure what the response really is.What I would say is "yes". That's right... an obscure answer that doesn't make sense. :)

Actually, I would like to explore all facets of this.

Let me give you a few examples. You said you did threat modelling. Awesome. Did you use STRIDE? (I would guess so, but want to ask for clarity anyways) How many people even knew what that was at the beginning of the class? What was the outcome? Are these people comfortable in using that now as part of the initial phases of projects, and fortified with another threat analysis mid way and at the end? When you approached the modelling, did you use practical examples of applications in house that the team members know intimatly, or did you use a more generic approach to make it easier to understand for different teams.

Another example. Testers are building new tests. Excellent. We should all be building better security tests and have them hooked into the master build environments. (I found a combo of cygwin + perl to be awesome for writing quick attack applications to stress-test sections of code/input/validation under XP). Was the outcome some new generic tests others could use within the organization? Personally I would LOVE to set up an accessible resource on the web of generic security tests that could be modified to individual applications. Anyone wanna play and let others see/use their security tests? If so let me know. Don't be shy. :)

What I want to do here is spark a discussion on the type of content that was used to approach the education in the workplace, and what the outcome is. When new members join a corporation's team, some of this could be SOP training for them before they touch any production code. (Personally I think it should be made mandatory). This would mean in many cases the materials need to be generic enough to apply security engineering knowledge while at the same time building a foundation so they can start out the gate writing better quality code with security in mind.

If this is truely the case, we SHOULD be able to come up with strong examples generic enough to apply to almost all workplaces, which simply makes all of our code better, developed with the quality and security our customers deserve. I know I am preaching to the choir on this list (and I apologize to all who have already rolled their eyes), but the result I would like to see is information published that people NOT on this list can obtain to hopefully plague their development teams with materials to hopefully make THEIR code better.

So lets go from there. Would anyone like to share the sort of materials that resulted from education in their workplace? Anyone interested in sharing generic security tests they may have developed? Guidelines for code audits and reviews (past Fagan-style type inspection)? Anyone have simple tests to grep through master sources looking for dangerous function calls and bad APIs? How about deployment procedures that aid in secure installations?

Do you need help?X

It is these types of procedures and tools which I think could aid others in approaching their development teams in a positive light and make a difference to the code quality through education. Not so much book knowledge but more as practical real world information that can bring the level or knowedge for security engineering up a few notches where it should be. 

---
Regards,
Dana M. Epp


----- Original Message -----
From: "Michael Howard" 
To: "Dana Epp" ; 
Sent: Monday, December 02, 2002 2:09 PM
Subject: RE: Security Education in the Workplace


Sorry for delay - I left town for thanksgiving and hardly touched my
laptop - I bought a shiny new Nikon D-100 and used that instead :-))

I'm more than willing to share what we did - but I'd need to know what
sort of info is needed.

The process was pretty easy (albeit, hectic!)

- education for all (three tracks, dev, test and designers)

- lotsa examples, with specifics (such as threat modeling, tracing input

and data mutation testing)

- the essence of the training is now available as a Microsoft Official


Curriculum course, 2805a "Security Seminar for Developers" (I doubt it's
deep enough for anyone here!)

- each component has to come up with a prioritized list of tasks to


complete the push, we reviewed these plans and gave feedback.

- devs reviewed code for issues based on the education provided. The


good news is people at Msft tend to think WAY beyond just being told
what to do - so every group looked critically at their components from a
'blackhat' perspective - that's why education is critical.

- testers built new tests that focused on fault injection, data mutation


and running more non-admin tests.

- designers worked on threat models (average time for threat model: 3


weeks) as well as deteriming what it takes to reduce the attack surface
of the product. This inlcudes turning stuff off that's not needed by
most users, running with lower priv, extra defensive layers and so on.

There's tons more stuff we did... But I need to know what people want...

Cheers, Michael
Secure Windows Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp
-----Original Message-----
From: Dana Epp [mailto:dana@vulscan.com]
Sent: Tuesday, November 26, 2002 4:41 PM
To: Michael Howard; secprog@securityfocus.com

With all the talk of development libraries one common thread has
continued to pop up with which there has been little debate. And that is
that the weakest link is the human factor, and that better education is
required. In many cases, the question not answered is how do we do this
in the corporate environment, educating existing developers.

Do you need more help?X


I don't want to single out any one person as we have all had/have to
deal with this in our own teams. But with Microsoft's latest push on
better code quality with a "security-oriented developer's boot camp" I
am wondering if anyone from the Secure Windows Initiative or the
Trustworthy Computing arena at the campus would like to share with us
the approach that was taking for the Microsoft boot camp. I need to
apologize immediately to Michael as I have cc'd him on this as he is one
of the few people at the Microsoft campus that can speak authoritatively
on such endeavours, but unsure what the corporate policy would be on
divulging this sort of information. ( Michael, I'll buy you a beer next
time I am in Seattle and you can chastise me then :-P )

So how about it? Instead of continuing to beat a dead horse about the
length of pointers and the power of the sizeof op (*sigh* will guys ever
get over that... this discussion has been going on since the 80's ;-) )
perhaps we could have a constructive thread on approaches used in
existing teams to "re-educate" them. Now, we could of course spew forth
material from books like "Writing Secure Code", "Security Engineering"
and the likes but I would be more interested in the real world
application to educate existing developers. It would be interesting to
see what sort of materials the "MS Boot camp" used, but can fully
understand if they would not wish to disclose such information. More to
the point, I bet a lot of us would be interested in how other work
places have gone about doing this. Not just Microsoft.

On top of that, this may help Michael with the Security Education thread
he had about real world examples. Outside of understanding the real

Can we help you?X

world application of knowing how to use the sizeof of (oh hell.. now I
am hanging on about it.. shame on me) perhaps techniques taught in the
work place could be applied to examples that could be placed in good
books like WSC.

Feel free to fire the flames to /dev/null. All other constructive
criticisms on why this would or would not be a good idea are welcomed.
If we get enough good feedback I would love to publish this information
on the web for others to read in the future. Including some of the good
examples we may be able to cultivate from this.

---
Regards,
Dana M. Epp
Received on Wed Dec 4 11:42:16 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library