Too Long for 140: Developers and Security Training

(Disclaimer: I work for a company that provides security training to developers. My opinions here do not reflect my employer.)

Caleb Sima (@csima) dropped this nugget:

Just got accepted to speak at RSA on not teaching developers about security

This was retweeted by Jeremiah Grossman (jeremiahg):

RT @csima: Got accepted to speak at RSA on not teaching developers about security < I'd agree in theory, implementation is the hard par

Jeff Williams (@planetlevel) hit back:

@jeremiahg @csima Not teaching developers security is dangerous nonsense. Automatic securification can never exist.

 I see the application security model similar to this:

• Dev: Wow, new whizbang tech that lets me do a, b, and c!
• Infosec Guy: Wow, Dev is using new whizbang tech that allows me to violate x, y and z!
• Infosec Guy to Dev: Stop using whizbang tech!
• Dev to Infosec Guy: Stop stopping me from being {productive, cool, whatever}!
• Infosec Guy to Dev: OK, at least implement these onerous and difficult security controls!
• Dev to Infosec Guy: Wow, these controls suck and I never get them right...
• Infosec Guy: Wow, the Dev people and dumb because they can't implement these onerous controls...
• [Time passes]
• Infosec Guy to Dev: Hey! Someone created a framework that magically implements the security controls that you can't seem to grasp!
• Dev to Infosec: Awesome! Now I need to learn this new framework, backport it into all 1000 enterprise apps, deal with the framework changing every week, being backwards-incompatible, and still have gaps because it doesn't work with m, n, and o frameworks!
• [Time passes]
• Infosec Guy: Wow, new whizbang tech that lets me do a, b, and c!
• ...

As for training, though, I'm blasé on it. Unless a developer expresses curiosity on the intricacies of how a weakness in their code can be exploited, I think security training is a waste of time. I think the training should be offered, but not forced. We hope a developer appreciates the sophistication around exploiting a vulnerability, but we cannot 'learn' them. This is where frameworks come in.

Eventually, frameworks (e.g. Hibernate, Spring) do pop up that implement some security control that is somewhat transparent to a developer. I'm a big fan of this approach and think that information security should act more as editors, with developers acting as authors; let them write code!

So, what do we do in-between that time, when no frameworks exist and when developers and infosec are on different pages?

Bar None NYC and Watching a Twins Game

I hit Bar None last night in the hopes of being able to wear my Morneau jersey in peace. The bar is known as a Vikings fan club bar, which I think means that some Vikes fans hit it on game day and a couple TVs are showing the game. The bar itself is about drinking; there's no food. If you're hungry, grab something from outside and bring it it!

When I got there 1/2 or so before the game, I was happy to see I wasn't the only Twins fan. There were a couple guys in Twins gear spaced out. So, apparently I wasn't along in speculating. Well, funny enough, it's still a Yankees bar, but the DJ running the show was gracious enough. They were wondering why they had so many Twins fans though. :-)

I'm gonna hit a Red Sox's bar tonight (enemy of my enemy is my friend and all that) with a couple guys I met last night. Let's bring this series to 1-1 boys!