WebApp Sec mailing list archives
RE: Security training of developers and company liability
From: "Brokken, Allen P." <BrokkenA () missouri edu>
Date: Thu, 8 Dec 2005 12:53:43 -0600
When teaching college students we put up a few bullets in advance that basically says The purpose of this class is to make the student a better developer. Use of the exploits against systems or applications without explicit permission of the owners is a violation of our Acceptable Use policy, and may be subject to legal action in jurisdictions worldwide. That may not be legally formal enough to stand up in court, however it explicitly states my intent as a teacher. It also warns the students that they my be subject to either University discipline, or legal action. I don't make a big deal about this, but it's there. --- Allen Brokken IAT Services - ISAM University of Missouri brokkena () missouri edu -----Original Message----- From: Lyal Collins [mailto:lyal.collins () key2it com au] Sent: Thursday, December 08, 2005 1:37 AM To: 'James Strassburg'; webappsec () securityfocus com Subject: RE: Security training of developers and company liability Obligatory IANAL disclaimer. Is this like asking if a driving instuctor is liable because a former student commits manslaughter or murder with a vehicle? I think the key issues are ethics, and intent. With skills that are more potentially dangerous, ethics and responsbility needs to be part of the skills and knoweldge shared during training. As long as the company's intent is not to attack other sites, and has clear policies against such activities 'on company time' then there should be little issue. What an individual does outside of the workplace comes down to intent and responsibility. TO be real safe, ask your legal team your question, along with thoughts like the above as background. Your jurisidiction may be different, of course. Lyal -----Original Message----- From: James Strassburg [mailto:JStrassburg () directs com] Sent: Thursday, 8 December 2005 3:51 AM To: webappsec () securityfocus com Subject: Security training of developers and company liability I am currently training all of my organization's software developers on web application security. I'm using WebScarab and WebGoat as my primary teaching tools as I feel that seeing how the problems are exploited is much more effective than trying to cover every type of coding mistake that can lead to the problems. My question is about company liability. What if one of the developers used the information learned to attack another site? Is my company liable for their actions as we taught them how to do it? Should I have our legal department create a disclaimer or waiver for them to sign? I will be asking the same questions directly to our legal department but thought a discussion here could provide some more insight and be valuable for others. thanks. James A. Strassburg Jr. Software Security Architect Direct Supply, Inc.
Current thread:
- Security training of developers and company liability James Strassburg (Dec 07)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- RE: Security training of developers and company liability Lyal Collins (Dec 08)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 08)
- <Possible follow-ups>
- RE: Security training of developers and company liability Griffiths, Ian (Dec 08)
- RE: Security training of developers and company liability Brokken, Allen P. (Dec 08)
- RE: Security training of developers and company liability Jason Gregson (Dec 08)
- RE: Security training of developers and company liability James Strassburg (Dec 08)
- RE: Security training of developers and company liability Jeff Robertson (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 09)
- RE: Security training of developers and company liability Harley David (Dec 12)
- RE: Security training of developers and company liability James Strassburg (Dec 12)
- RE: Security training of developers and company liability Wall, Kevin (Dec 13)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)