Software Security Training for Developers

[SMigues at cigital.com (Sammy Migues)]

Hi Chris,

My experience is that, like most engineers, most software developers want to improve their skills and that, as a group, 
they hate making easily-avoidable mistakes of any sort. Training that focuses on reinforcing their existing skills in 
design and development and then works methodically to give them the extra layer of knowledge to make the code not only 
function, but also behave with respect to security, is almost always well received. Any training that comes across as, 
"You're doing it wrong, stop everything and do it this way" will almost always be ignored. No one has time for that.

Internal groups and others who are getting started in developer training tend to create "bug parade" kinds of 
materials. You'll see slide after slide of five-line code snippets while the instructor says "That's wrong, don't do 
that." That kind of mistake detection is often so easily automatable these days, that buying or building training for 
it, and taking all your developers out of action for a day or two to run through it, may not be the best choice.

As you alluded to, we need to teach developers how to actually write secure code. The problem, however, is that the 
march of development methods, languages, frameworks, architectures, and so on means there usually cannot be a single 
approach for, by way of example, coding input validation routines. On the whole, the industry is at the stage where we 
need to teach developers to recognize situations where "security goes here," and give them the reasoning skills and 
prescriptive guidance to code their way out of the problem in their particular environment.

This kind of defensive programming training seems to be most valuable these days and it takes real experience and real 
experts to create and deliver such material.

Meanwhile, it takes more than educated developers to produce software that behaves appropriately in the face of attack. 
The requirements people also need some help and it's unlikely the business analysts, the architects, and the testers 
are sufficiently considering the non-functional security aspects of the thing they are trying to bring to life. Of 
cause, the operations folks also need to understand their part in the "secure software" lifecycle. In addition, 
executives need to understand how to govern and managers need to understand how to facilitate.

By way of full disclosure, I've spent a great deal of time building such a cross-cutting curriculum at Cigital, which 
we've delivered to a variety of financial services, independent software vendor, and other organizations.

As for pricing, I've seen everything from a few hundred dollars per person for material you could effectively download 
yourself to $12,000 or more per day for a few slides and one big exercise that may have nothing to do with a group's 
particular needs. I've also seen a few examples of some really good stuff that just "speaks to me." Organizations must 
make sure they're getting an instructor that thoroughly understands the material and that they've worked with the 
training provider to ensure the material is appropriately customized to their needs.

Effectiveness is in the eye of the beholder. The actual impact of developer training alone may take months to show up 
in even the most mature dashboard. More broad training across each of the key roles, appropriately supported by 
prescriptive guidance and automation, has historically shown a recognizable impact (e.g., finding many more 
security-related bugs much earlier in the SDLC) much more quickly.

I recently put together some (long) thoughts on an approach for training. You can see them at 
http://www.cigital.com/justiceleague/2007/06/25/training-material-training-and-behavior-modification-part-1-of-3-%e2%80%93-training-material/.


--Sammy.

Sammy Migues
Director, Knowledge Management and Training
703.404.5830 - http://www.cigital.com<http://www.cigital.com/>


________________________________
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of McCown, Christian M
Sent: Thursday, August 16, 2007 7:23 PM
To: sc-l at securecoding.org
Subject: [SC-L] Software Security Training for Developers



What are folks' experiences with software security training for developers?  By this, I'm referring to teaching 
developers how to write secure code.  Ex. things like how to actually code input validation routines, what "evil" 
functions and libraries to avoid, how to handle exceptions without divulging too much info, etc.  Not "how to hack 
applications".  There are quality courses and training that show you how to break into apps--which are great, but my 
concern is that if you are a developer (vs. a security analyst, QA type, pen-tester, etc.),even when you know what 
could happen, unless you've been specifically taught how to implement these concepts  in your language/platform of 
choice (ASP .NET, C#, Java, etc.), you're not getting the most bang for the buck from them.


What vendors teach it?
How much does it cost?
Actual impact realized?

Tx

____
Chris McCown, GSEC(Gold)
Intel Corporation
* (916) 377-9428 | * c.mccown at intel.com<mailto:c.mccown at intel.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070817/d692c31c/attachment.html