Monday, October 27, 2008
How many enterprises train their developers on how to write secure code?
Before we get started, it is important to first acknowledge that training is not the same thing as awareness and that Awareness is an enterprise architecture antipattern...
On Friday, I had a conversation with Derek Slater, Editor in Chief of CSO Magazine. One of the things that I would have loved to suggest for him to explore is that one of the reasons the blackhats are beating out the whitehats is because enterprises aren't actually training their developers to write secure code. What would happen if their sister publication, CIO magazine asked Esther Schindler to write an article on why CIOs are missing out on important opportunities to actually secure the enterprise by simply encouraging their staff to attend local OWASP chapter meetings.
There is a huge disconnect between software development and security in most shops. I bet it wouldn't be difficult to find a CSO who can use the word holistic in a sentence but otherwise hasn't yet figured out the security includes software development. Wouldn't it be fascinating if CSO did a simple survey to see how many enterprises are teaching secure coding practices to their development staff?
Anyway, security awareness efforts prepare employees for more detailed assurance training. Awareness, a general understanding about the importance of information security, makes them more receptive to the targeted training that helps remove vulnerabilities associated with employee behavior. Chad Perrin of TechRepublic talks about the process but doesn't ever talk about the depth required in order to be truly sustainable or secure. For example, it is noble to talk about concepts around encryption, but there are lots of ways that it can be developed insecurely and cause bigger problems....
| | View blog reactionsOn Friday, I had a conversation with Derek Slater, Editor in Chief of CSO Magazine. One of the things that I would have loved to suggest for him to explore is that one of the reasons the blackhats are beating out the whitehats is because enterprises aren't actually training their developers to write secure code. What would happen if their sister publication, CIO magazine asked Esther Schindler to write an article on why CIOs are missing out on important opportunities to actually secure the enterprise by simply encouraging their staff to attend local OWASP chapter meetings.
There is a huge disconnect between software development and security in most shops. I bet it wouldn't be difficult to find a CSO who can use the word holistic in a sentence but otherwise hasn't yet figured out the security includes software development. Wouldn't it be fascinating if CSO did a simple survey to see how many enterprises are teaching secure coding practices to their development staff?
Anyway, security awareness efforts prepare employees for more detailed assurance training. Awareness, a general understanding about the importance of information security, makes them more receptive to the targeted training that helps remove vulnerabilities associated with employee behavior. Chad Perrin of TechRepublic talks about the process but doesn't ever talk about the depth required in order to be truly sustainable or secure. For example, it is noble to talk about concepts around encryption, but there are lots of ways that it can be developed insecurely and cause bigger problems....