Spent the last couple of day teaching software security training. The class the usual mixture of developers, architects, and security people. Most had at least 5 years of development experience, and there were about 30 people in the class, so we had at least 125 years of professional development experience in the room. These weren't rookie developers.
As is my wont at the beginning of class I asked how many people had ever taken a day of software security training. Three hands went up. Two had had a one day class, one had a longer class....but it was on RACF in the 80s. So in the room we had over 125 years of development experience and 3 days of security training.
The class had a lot of energy, there were lots of real world examples discussed and we went into many rabbit holes from secure coding practices to identity management & SAML to threat modeling t how to apply in real organization's development lifecycle. At the end there were a lot of good comments and feedback, but one stood out, one of the developers wrote on their comment sheet:
Afterwards, I tweeted this quote saying how much I enjoyed the class, and "welcome to the party!", I got some comments from people thinking I tweeted sarcastically like "oh what an idiot, how did that person not know that already?"
I have learned that the Web is just a giant piece of Swiss cheese
Here's the thing - I wasn't being sarcastic at all. I'm sincerely happy to help developers think through security failures and how to avoid them where possible. Probably get the most professional satisfaction from this.
As to the - "how could they not know this already" - part, better question is - how would they possibly know it at all? It ain't in Kernighan & Ritchie, it ain't in Core Java, it ain't J2EE patterns, its not even in Enterprise Integration patterns; software security knowledge is located precisely nowhere a developer spends their time. A century plus of programming versus a day or so of security training? Give me a break.
Information Security groups should be the ones helping to close this gap, but most of the time they play around with various network tools, and since the whole point of scalable networks is that the network is designed to be dumb, this means at best the information security budget is spent on the dumbest part of the system (the network) while the smart part of the system - apps, data, identity (also known as assets) - get little focus.
Jeff Williams had a great tweet on this today
Blaming software developers for insecurity is the most divisive and counterproductive thing we could possibly doPrecisely, and this is dumb from two perspectives. First you cannot simply put all the blame on developers its not all their fault in fact they may not even be in the top 5 of people to blame, and secondly if you want to get out of this mess (instead of obsessing about threat du jour)- the developers are your way out. They are the ones who are going to build the bridges out of stone instead of wood, and then build them out of steel instead of stone. Nobody starts a career in development to have the code fall over in a stiff breeze, show them how to build more resilient systems.
Security needs to build bridges with developers, not burn them down. (James McGovern and I have a paper on exactly this topic in the next IEEE Security & Privacy journal so much more on this later.) Training is a very good example of this, not just because I do training but because I have seen it work. Many times. And work in a very cost effective way.
Both developers and security people need training in these areas, the old ways don't work any more. Developers need to know what they don't know about security, and isn't anywhere obvious unless they sit in training and think, talk, discuss, build/break it hands on style. Security needs training just as much, you can't bolt security onto a network and then cram a gajillion users and quadrillion lines of code app and hope for the best. Hope is not a strategy, neither is divisive/counterproductive blaming of developers. You gotta unify the concerns of developers and security, find shared goals. You gotta get in the same boat.
Maybe instead of pizza parties and lunch and learns, you can do a fondue party. Have the developers bring the bread and the security people bring the Swiss cheese.