Developers Often Left Out Of Security Training

A good friend was telling me recently about a risk assessment he was involved with in which his organization found some vulnerabilities in the Web application. When they asked the developer about them, the response was, "What is cross site scripting?" Wow -- how is it that in this day and age that someone, who probably considers themselves to be a competent Web developer, doesn't know XSS? Ask them about SQL injection, and the response would probably be the same.Now, working in a university environment day-to-day and having met a lot of students during the years, it's clear that there is little to no focus on secure programming in most academic environments. So my question is, where do we expect programmers to learn about secure programming? I know of some higher education institutions that do focus on secure programming, but there seems to be a much larger percentage that don't.

With graduating students entering the workforce with no knowledge of secure programming, it becomes the burden of their hiring employers to either teach them about secure programming through training, or to suffer the consequences of vulnerabilities that might be introduced from the programmers' lack of knowledge. The SANS Institute has some training on secure programming, but I think it gets overlooked -- as do the developers.

Let's do a little survey: How many of you have in-house developers? And how much money is spent training your in-house developers compared to your network engineers, general IT staff, and security team?

Based on the answers to the questions above, is your company promoting and developing solid, secure programming skills among its developers? I understand that teaching programming and security skills are different, so comparing the two may be difficult. But I think the issue is that when seeking out security training for IT, there is more emphasis on network and host security, and little to none on development.

Some of the focus on where the training budget goes will of course depend on what will best help protect the organization. If the developers are working on critical apps that touch sensitive data that is used both internally and on the Web, then obviously a large amount of money should be focused on making sure the programming is secure and the data, protected. Makes sense to me.

What's your experience with training and prioritizing who gets the money?

Drop me a line via e-mail or via the comment form below.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.