WebApp Sec mailing list archives
RE: Security training of developers and company liability
From: "Jason Gregson" <Jason.Gregson () easyi com>
Date: Thu, 8 Dec 2005 12:47:30 -0000
Afternoon I am not a teacher/lawyer but I would say that if any of your students use any of these tools in anger on the premises of where they are being taught, that you will be liable regardless of whether they sign a waiver or not. If they do use these tools outside the premises you would not be liable. If you train someone how to fire a pistol accurately - are you responsible for them acquiring a stolen firearm and then taking someone's life? Have you had a look at the Computers Misuse Act 1990 http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm If the students are attempting to gain access to DATA without permission, they are breaking the law. 1.-(1) A person is guilty of an offence if- (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; This is not legal advice, just my opinion. My two pence worth. Regards Jason Gregson -----Original Message----- From: Stephen de Vries [mailto:stephen () corsaire com] Sent: 08 December 2005 08:55 To: James Strassburg Cc: webappsec () securityfocus com Subject: Re: Security training of developers and company liability I used to be a trainer on the ISS Ethical Hacking course in the UK and it was standard practice to have the delegates sign a waiver that they would only use their new powers in defense of the empire. Not sure whether this was strictly necessary in the UK, it could have been a knee jerk reaction from the US legal department. It rarely hurts to play it safe. cheers, Stephen On 7 Dec 2005, at 23:51, James Strassburg wrote:
I am currently training all of my organization's software developers on web application security. I'm using WebScarab and WebGoat as my primary teaching tools as I feel that seeing how the problems are exploited is much more effective than trying to cover every type of coding mistake that can lead to the problems. My question is about company liability. What if one of the developers used the information learned to attack another site? Is my company liable for their actions as we taught them how to do it? Should I have our legal department create a disclaimer or waiver for them to sign? I will be asking the same questions directly to our legal department but thought a discussion here could provide some more insight and be valuable for others. thanks. James A. Strassburg Jr. Software Security Architect Direct Supply, Inc.
________________________________________________________________________ ______ This email was scanned for all viruses by our Security Systems on entering the Easy i network. For more information on this scanning, please contact Easy i. ________________________________________________________________________ ______
Current thread:
- Security training of developers and company liability James Strassburg (Dec 07)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- RE: Security training of developers and company liability Lyal Collins (Dec 08)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 08)
- <Possible follow-ups>
- RE: Security training of developers and company liability Griffiths, Ian (Dec 08)
- RE: Security training of developers and company liability Brokken, Allen P. (Dec 08)
- RE: Security training of developers and company liability Jason Gregson (Dec 08)
- RE: Security training of developers and company liability James Strassburg (Dec 08)
- RE: Security training of developers and company liability Jeff Robertson (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 09)
- RE: Security training of developers and company liability Harley David (Dec 12)
- RE: Security training of developers and company liability James Strassburg (Dec 12)
- RE: Security training of developers and company liability Wall, Kevin (Dec 13)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)