I read an interesting question this morning concerning what to teach developers. Should organizations spend time teaching developers hacking techniques or writing secure software? If both, how should they mix it up?
I’m happy to hear questions like this because it’s putting the focus where it needs to be: on developers. For far too long security has been focused on the network. I can’t remember where the statistic came from, but I think ~75% of breaches last year were application based. Training developers to stop vulnerabilities early in the SDLC is the best way of shrinking that percentage.
Teaching developers about hacking techniques is important. I believe Sun Tzu said “know thy enemy” and that was hundreds of years ago. With that being said, developers do not need to know everything about hacking techniques. If an individual developer is interested in software security, encourage them to learn more. This type of developer is referred to as a “satellite” in Building Security In Maturity Model (BIMM). Satellites can be extremely useful in raising the awareness of software security and sharing ways to stop vulnerabilities. In BIMM, they are a crucial part of the success of the Software Security Group (SSG).
Every developer should have a crash course in software security covering the consequences of writing insecure software and the most common attacks. I think the focus should be on writing better software; specifically writing reusable software that emphasizes security. Keeping developers trained on writing secure software is difficult, so its better to take them out of the loop. Try to break your applications up into pieces and use secure frameworks to move information between the layers. This is a much better approach than relying on every developer to know how to prevent security vulnerabilities.