Fifteen years ago, a common representation of the hacker was a computer science college student hacking systems from his or her dorm room. Nowadays hackers operate on a different scale; they are more often affiliated to criminal organizations or to nation states than to colleges or universities.
The only thing today’s cyber attackers have in common with college students from 15 years ago can be summarized in 2 words: SOFTWARE VULNERABILITY. Most recent days attacks involve the exploitation of a zero day software vulnerability that has certainly been created by software engineers who used to be computer science college students several years ago. Sadly, software security is not a significant part of most software engineering curricula, leaving it to the developers to learn defensive coding techniques by themselves or to their employers to invest in expensive security engineering training.
Early on, SAFECode members acknowledged that all successful software security initiatives have been built on the foundation of a comprehensive security training program, and published in 2009 a report entitled “Security Engineering Training – A Framework for Corporate Training Programs on the Principles of Secure Software Development”. This became a useful resource to help software security leaders define a training program, but it did not do much to address the knowledge gap in software security across the software development ecosystem.
This week, SAFECode is going a step further and is releasing to the public online security engineering courses based on internal training materials used by SAFECode members. The first 6 courses of this program were donated by Adobe (thank you Brad!) and then reviewed and enhanced by experts from the other SAFECode member companies. These first courses touch on topics as diverse as Cross Site Request Forgery, access control or injection 101. Please go and check these courses at https://training.safecode.org.
Who is the target audience for these courses?
These courses are for software developers who do not want that the code they create become the target of a cyber attacker’s spear phishing attack. They are also for anybody who is developing a software security curriculum, in a technology company, an IT department, a college or a university and is looking for relevant content. At EMC we are integrating these courses in our existing software security curriculum.
Will SAFECode publish additional courses?
The field of software security is much broader than the 6 topics covered by these initial courses and we are already in the process of reviewing more courses.
With these courses now available, are software vulnerabilities a thing of the past?
There is no silver bullet to providing software assurance, neither a magic tool nor a set of training courses. Software assurance can only be delivered through a comprehensive process (see “Fundamental Practices for Secure Software Development”). A knowledgeable developer community is an absolute prerequisite to the successful roll-out of such process. SAFECode member companies, hope that by releasing these courses we will contribute to improving the collective knowledge of security engineering among the developer community and create a more fertile ground for the broader adoption of secure software development practices, which has been the charter of SAFECode since its inception.