Security Awareness Blog

A Foundation for Developer Security Awareness Training: Part 1

SDLC-EndGuest Editor: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this series of posts Eric will take a look at laying a foundation for Developer Security Awareness Training.

Laying a foundation for developer security training is not an easy task. Those of us that have worked in the information security world long enough have seen the roadblocks:

  • Development teams do not have enough time
  • The project does not provide enough funding
  • The organization does not have the expertise to create a training program
  • It's more important to release new features.

Anyone reading this post has likely heard reasons similar to this for not taking action. In this multi-part blog post, we will show you how to get started and what developer security awareness training could look like inside your organization.

What have we learned from the past?

The headlines from the past year alone should be more than enough ammo to convince anyone in your organization that you NEED an application security program.

  • The Heartbleed OpenSSL bug affected web traffic for millions of applications, devices, and operating systems. Many security experts classified the zero-day vulnerability as the most catastrophic software bug known to date. Within a few months, Heartbleed was used to attack a private healthcare network and extract millions of patient records.
  • Travel industry web sites were targeted, resulting in major casino and online travel agencies being breached. Attackers were able to steal employee information along with millions of credit card numbers, email addresses, and password hashes.
  • Social media also took a massive hit as hundreds of celebrity accounts were compromised and hundreds of thousands of "deleted" pictures were posted online.
  • Point of sale systems continued to be successfully breached, resulting in millions of consumer credit card numbers being stolen from several different companies.
  • To close out the year, we saw malware take over large corporate networks, extract gigabytes of information, and hold entire companies ransom.

The above examples are only a small sample of the information security specific incidents that seemed to make the headlines every week last year. While the attacks, motivations, and methods vary, I think the one thing we can all agree on is this:

Security is everyone's job.

The number of security incidents will continue to rise until we properly train our employees, raise awareness, and understand what is at risk. In the next post, we will look at why we are failing as an industry, and how we can improve.

Bio: Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. Eric previously spent six years performing web application security assessments for a large financial institution and another four years focusing on ASP .NET web development. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications. Eric is located in West Des Moines, IA and outside the office enjoys spending time with his wife and daughter, attending Iowa State athletic events, and golfing on the weekends.