The Only Thing Worse Than Training Your Developers and Having Them Leave…

A standard marketing blurb for training companies says “the only thing worse than training your employees and having them leave is not training your employees and having them stay.”  When it comes to training developers in secure development techniques this is doubly true.

The thing about code is that it has a tendency to stick around longer than anyone ever thinks it will.  Think Y2K.  All of the COBOL code that was developed throughout the 70s and 80s with two digit dates (“clearly this will be replaced by the year 2000”) still happened to be running mission critical systems as the century came to a close.  From a security standpoint at least those were mainframe systems without direct exposure to harsh environments like the public Internet…

There are a surprising number of web-based systems out there now that have been deployed and running for 8-10 years.  8-10 years!  I have done security assessments on a number of systems this old and, without exception, they are full of both technical (SQL injection, cross-site scripting)  as well as logical (parameter and cookie manipulation, insecure authentication and authorization) vulnerabilities.  For the risk managers responsible for these systems that is a lot of risk that an organization has absorbed, but that is a topic for another discussion.

If a web development team does not have the training to design and develop secure web applications today, the sins they commit now are going to live on for a long time.  Web application scanners and web application firewalls can help to a certain degree – largely in identifying technical vulnerabilities – but the only way to reduce security defects to an acceptable degree at an acceptable cost is to make sure that developers are creating secure systems from the inception of the development process.  And the only way that developers are going to start creating secure systems is if they know how to develop secure software.  And the only way developers can be expected to know this is if they are trained.  As I mentioned above, the only thing worse than training developers to build secure software and having them leave is not training developers about security and having them stay at your organization building vulnerable application after vulnerable application.  Truly a gift that keeps on giving…

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *