Software Security Training for Developers

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

My general observation of training firms in this area is that they all
tend to use freelance trainers who float between the firms. The notion
of customized courseware is something they sell as a feature but
honestly feels more like a way to avoid actually developing consistent
training approaches where they instead rely on the individual hired
trainer and what they happen to feel comfortable teaching.
 
The issue with training in the language/platform of choice gets more
difficult depending upon what type of environment you reside. If you
look inside the average Fortune enterprise whose primary business model
isn't technology (e.g. Intel, IBM, Microsoft, etc) then you will tend to
find lots of variety of languages used in production environments with
no language (with the exception of possibly COBOL) being dominant. This
simple fact causes enterprises who have a variety of languages when
combined with the need for across the board training to make training
non-specific to any particular language.
 
Many of the tools also give feedback in a language-specific context
while writing code, so at some level I do believe that language-specific
training is not required.

________________________________

From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of McCown, Christian M
Sent: Thursday, August 16, 2007 7:23 PM
To: sc-l at securecoding.org
Subject: [SC-L] Software Security Training for Developers




What are folks' experiences with software security training for
developers?  By this, I'm referring to teaching developers how to write
secure code.  Ex. things like how to actually code input validation
routines, what "evil" functions and libraries to avoid, how to handle
exceptions without divulging too much info, etc.  Not "how to hack
applications".  There are quality courses and training that show you how
to break into apps--which are great, but my concern is that if you are a
developer (vs. a security analyst, QA type, pen-tester, etc.),even when
you know what could happen, unless you've been specifically taught how
to implement these concepts  in your language/platform of choice (ASP
.NET, C#, Java, etc.), you're not getting the most bang for the buck
from them.


What vendors teach it? 
How much does it cost? 
Actual impact realized? 

Tx 

____ 
Chris McCown, GSEC(Gold) 
Intel Corporation 
* (916) 377-9428 | * c.mccown at intel.com <mailto:c.mccown at intel.com>  



*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070828/91a08151/attachment-0001.html