RE: Security training of developers and company liability

["Jason Gregson" <Jason.Gregson () easyi com>]

Afternoon

I am not a teacher/lawyer but I would say that if any of your students
use any of these tools in anger on the premises of where they are being
taught,  that you will be liable regardless of whether they sign a
waiver or not. If they do use these tools outside the premises you would
not be liable. 

If you train someone how to fire a pistol accurately - are you
responsible for them acquiring a stolen firearm and then taking
someone's life? 

Have you had a look at the Computers Misuse Act 1990
http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

If the students are attempting to gain access to DATA without
permission, they are breaking the law. 

1.-(1) A person is guilty of an offence if-
 (a) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;

This is not legal advice, just my opinion. My two pence worth.

Regards

Jason Gregson


-----Original Message-----
From: Stephen de Vries [mailto:stephen () corsaire com] 
Sent: 08 December 2005 08:55
To: James Strassburg
Cc: webappsec () securityfocus com
Subject: Re: Security training of developers and company liability


I used to be a trainer on the ISS Ethical Hacking course in the UK  
and it was standard practice to have the delegates sign a waiver that  
they would only use their new powers in defense of the empire.

Not sure whether this was strictly necessary in the UK, it could have  
been a knee jerk reaction from the US legal department.
It rarely hurts to play it safe.

cheers,
Stephen

On 7 Dec 2005, at 23:51, James Strassburg wrote:

> I am currently training all of my organization's software  
> developers on
> web application security.  I'm using WebScarab and WebGoat as my  
> primary
> teaching tools as I feel that seeing how the problems are exploited is
> much more effective than trying to cover every type of coding mistake
> that can lead to the problems.  My question is about company  
> liability.
> What if one of the developers used the information learned to attack
> another site?  Is my company liable for their actions as we taught  
> them
> how to do it?  Should I have our legal department create a  
> disclaimer or
> waiver for them to sign?
>
> I will be asking the same questions directly to our legal  
> department but
> thought a discussion here could provide some more insight and be
> valuable for others.  thanks.
>
>
> James A. Strassburg Jr.       
> Software Security Architect   
> Direct Supply, Inc.


________________________________________________________________________
______
This email was scanned for all viruses by our Security Systems on
entering the Easy i network. 
For more information on this scanning, please contact Easy i.
________________________________________________________________________
______