2

To train the development team, there are various options one can take: inhouse presentation with code samples, CBTs so developers do it at their best time, instructor-led courses onsite or inhouse (expensive), using knowledge bases like https://owasp.teammentor.net/teamMentor

We sent a developer to a very expensive course, he came back, but he is not suddenly an expert, and the rest did not benefit from his knowledge. I bet he has forgotten everything now.

I am wondering, how would you get the best results and engagement from developers? I can imagine if we give them a whole bunch videos and CBT to watch, they will not really take it seriously. Do you think assigning each developer a type of attack and asking them to research and find defense best practices and code samples and present to the rest would engage them or deter them?

Goli E
  • 895
  • 1
  • 11
  • 20

3 Answers3

2

There are a few things I've seen have good success.

Developer Standards - This would include things like libraries to use, encryption ciphers and strengths to use, information on testing for input sanitation, etc. The key here is to work very closely with the leaders in the development org.

As long as the data is up to date, accurate, and well put together it saves developers a lot of time. This will ensure your developers spend as little time thinking about pre-determined security configurations and can focus on the problem solving they really are there for. This is also very helpful in that it takes new developers less time to really get up to speed.

Hacking Challenges - These can take a lot of setting up, but as schroeder mentioned, challenging developers to solve puzzles can be a fun way for them to learn. You can put up a system that is vulnerable to some relatively common vulnerability, and challenge developers to get some type of data out they are not supposed to do. Which language/platform/os etc. depends a little on what it is your developers code in.

Static Analysis - Develop good static analysis tools, and expose results to your developers. Help them learn to interpret them so they can write more secure code. This is potentially a ton of work but pays off depending on how many developers you have to train up.

Security Champions - Just like with any other topic, some developers are more fascinated by security than others. Find these folks in your various teams, send them specific information, ensure they report strange security issues to you, etc. You could potentially help teach them more advanced use of security tools and give them at least a basic understanding of code auditing so they can help review their team's code. Give them t-shirts, little awards, and other recognition and always, always be sure to THANK them. :)

theterribletrivium
  • 2,679
  • 17
  • 18
1

I think web security is summarized in this phrase:

Don't Trust any data received from the client...!

1) As your developers try to stick to this rule, they will understand some parameter-based attacks like SQLI and XSS...

2) After that, they'll need to know their framework well and they should become expert in their language, framework and its features and abilities.

As they achieve both abilities I mentioned above, they'll become specialist hardening experts in their field...!

The problem with this path is that it takes time... A diligent developer needs to study and practice at least one year in order that he/she could mitigate attacks effective and reliable.

I think there is no need for expensive courses or learning materials. There are many great resources and references like CVE, CWE, CAPEC, OWASP and WASC that present educational info or threat classification which you can use them for free...

Amin Saqi
  • 296
  • 3
  • 9
0

The best way to train a developer? Give them a puzzle to solve the tools to do it:

Give them the best training that you can afford, but then reward them for finding/breaking their peer's code using what they have learned. You will find them motivated to learn and apply their knowledge.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • something like a bug bounty? We have penetration testers and we find enough vulnerabilities. We like to prevent introduction of the vulnerabilities at the first place. – Goli E Jan 10 '15 at 00:51
  • the point is for the devs to find their own bugs before it gets to the bug bounty stage. It's not about the bugs, but about the skills and challenge to find them. – schroeder Jan 10 '15 at 01:02
  • @GoliE if they know their code will go through a pen tester before reaching production then they have little incentive to think like an adversary during development. I'd suggest either rotating developers into a pen tester role or have a pen test stage conducted by developers before going to the dedicated pen testers. This will give your developers hands on experience at recognising situations that could potentially compromise security. – thexacre Jan 10 '15 at 01:20