With graduating students entering the workforce with no knowledge of secure programming, it becomes the burden of their hiring employers to either teach them about secure programming through training, or to suffer the consequences of vulnerabilities that might be introduced from the programmers' lack of knowledge. The SANS Institute has some training on secure programming, but I think it gets overlooked -- as do the developers.
Let's do a little survey: How many of you have in-house developers? And how much money is spent training your in-house developers compared to your network engineers, general IT staff, and security team?
Based on the answers to the questions above, is your company promoting and developing solid, secure programming skills among its developers? I understand that teaching programming and security skills are different, so comparing the two may be difficult. But I think the issue is that when seeking out security training for IT, there is more emphasis on network and host security, and little to none on development.
Some of the focus on where the training budget goes will of course depend on what will best help protect the organization. If the developers are working on critical apps that touch sensitive data that is used both internally and on the Web, then obviously a large amount of money should be focused on making sure the programming is secure and the data, protected. Makes sense to me.
What's your experience with training and prioritizing who gets the money?
Drop me a line via e-mail or via the comment form below.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.