The most effective way to secure applications is by writing them securely; and the best way to achieve this is by training your development team to write safer applications. This article presents the key components of a security program for your development team
The most effective way to secure applications is by writing them securely; and the best way to achieve this is by training your development team to write safer applications. This article presents the key components of a security program for your development team. In our experience, a two-pronged approach to training yields the most optimum results when your development team is too large to train everybody in-depth on security:
- A basic Security Awareness Workshop for the entire development team
- An advanced Security Boot Camp for a smaller team
The Security Awareness Workshop
A security awareness program should be conducted for your entire team. This can be a 2 - 3 hour program that illustrates the threats to applications, and the origin of vulnerabilities. The objective of this program is to ensure that all team members are familiar with the risks and recognize the importance of safer coding practices. A cheat-sheet of Do's and Don'ts will go a long way in equipping them with a practical checklist quickly.
The Advanced Security Boot Camp
A team of designers, developers and testers from different groups should be brought together for a more intense training program. The objective of the Boot Camp is to quickly inject vital security expertise into the veins of the organization. On completion of the Boot Camp, the participants should be able to transfer knowledge across their team.
The training requirements for designers, testers and developers would be different. The Boot Camp should provide an environment for these roles to come together and learn through a combination of class room exercises and a real project. Here are a few guidelines on the content of the classroom sessions:
- Designers benefit from a case study approach
- Start with a vulnerable application.
- Explain the threats to the application
- Demonstrate the exploits that realize the threats
- Discuss the solutions to the exploits.
- Conduct a post-mortem analysis for the designers to analyze how they would design differently.
- Design a sample application taking into account all the security features that the application should have.
- The developer training is best focused on secure coding. Areas that should be covered are:
- Secure Coding Guidelines
- Common mistakes to avoid
- Safe use of dangerous functions etc.
- The testers should be trained on how to test the security of the application, the use of web proxy tools like Achilles and the techniques for exploiting applications using SQL injection, Session manipulation etc. They should be able to include this in their job function.
As part of the boot camp, the teams should come together to design, develop and test a small new application so they get first hand experience of the security issues. This is also a good measure of the effectiveness of the training and evidence of learning. The trainer in turn should have a strong background in application security and experience in the SDLC processes so he/she can share insight and practical issues.
Additional course handouts that we have found effective are:
- A list of DO's for all application coding rather than a list of DONT's
- Common mistakes to avoid
- A FAQ for reference
- A guide to application level vulnerabilities
Tags: Best Practices