Re: Is developer education a lost cause?

["Joe Teff" <joe () joeteff com>]

I beleive that educating developers is the single best method to improve 
the security of software. Corners get cut every day because of 
constraints of one type or another. That is a fact of life and I don't 
see it going away. By educating the builders of the code, at least they 
understand what is possible and can start taking better precautions. By 
educating the decision makers, we can start redefining which corners just 
can't be cut. Or at least what the risks are if they are cut. There are 
too many instances where decisions are made because the potential result 
is not understood.

Part of my job is to educate developers and architects about web 
application security. It is amazing how many do not understand the 
weaknesses of various technologies. There is tendency for developers to 
only think in terms of how thier software should be used; not in how 
someone may misuse it. This tendency causes vulnerabilities like SQL 
Injection, command injection, cross-site cripting, buffer overflows, 
hidden field/parameter/cookie tampering, direct browsing, directory 
traversal, etc.

That doesn't mean they will write 100% safe code forever. Most developers 
tend to program more defensively once they are exposed to the possibility 
of vulnerable practices.

My next goal is to start educating the decision makers. 

joe teff