Security Awareness Training for Software Developers

Download this Page as a PDF

“The easiest way to significantly reduce security risk is by relevant, routine security awareness training.”

“More threats could be prevented through simple and consistent software development practices”

Knowledge is a Powerful Tool

Only careful design and coding can protect today’s business applications. Most programmers, content managers and webmasters understand very little about secure development processes. Instead, they rely on network firewalls for security. Unfortunately, these firewalls cannot distinguish between legitimate application traffic and packets from a hacker intended to subvert the unprotected logic of the software. Just as importantly, the network mechanisms cannot classify sensitive data (e.g., account names, credit card numbers or passwords) passed from the application to unauthorized individuals. Thus, much software represents a “ticking time bomb” to the organization, vulnerable to a wide variety of attacks used to vandalize, disable or subvert their intended service.

Did you know that?

Over the past two years, there has been a sharp rise in security exploits against vulnerable application software. Many companies devote substantial resources to auditing their business applications. These same companies then spend money and time fixing the problems identified. Even worse, most companies expend much greater resources responding to attacks against vulnerable software. Often, these weaknesses cannot be identified during post-development audits, so companies spend twice.

A recent study compared the cost implementing security into applications at various stages of the development life cycle. Some of the interesting findings from that study include:

  • Adding security during coding costs 6.5 times more than architecting it during the upfront software design process.
  • Implementing security after deployment costs 15 times more than architecting it during the upfront software design process.
  • Fixing security holes after deployment costs 100 times more than architecting it during the upfront software design process.
  • On average, every 1,000 lines of code has at least 5 to 15 defects (United States Department of Defense and the Software Engineering Institute),

“An Ounce of Prevention” or “A Pound of Cure”

Fortunately, providing development staff with the knowledge and tools to avoid many of these pitfalls is easy and inexpensive. Protecting critical business applications is achievable and affordable with the “Security Awareness for Software Developers” one-day training curriculum from Network & Security Technologies. Through it, personnel will develop an understanding of fundamental rules for project managers, designers and programmers. These include:

  • Understand attacks used against web-based and other modern software.
  • Produce clear documentation of the security architecture used to safeguard operations and information.
  • Conduct rigorous design and code reviews that demonstrate defense against common problems such as buffer overflows and race conditions.
  • Test throughout the development cycle for security flaws.
  • Maintain solid configuration management procedures that ensure the integrity of every byte and line of code and content.

Training, a Tried and True Solution

While programmers and designers represent one of the most highly educated segments of an organization’s employees, few will take up the study of security techniques on their own. Books on the subject can reach some; however, the vast majority will require a classroom environment to enforce the learning process for those who need it the most. Network and Security Technologies (N&ST) has developed security training for staff involved in the software development process. This progressive curriculum can be tailored to any company’s specific environment. It divides the material into two key audience segments:

  1. Software Development Managers, Project Managers,
  2. Software Architects and Designers, and Programmers.

Each segment is adapted to the technical depth appropriate to its attendees. These concepts apply equally to client-side applets, server-side applications, business logic engines, databases, core applications and interfaces to legacy systems. Examples include scripting languages (e.g., PERL, JavaScript, VBScript), object-oriented languages (e.g., VBasic, C++, Java, .NET), and low-level languages (e.g., C, Assembler, Fortran).

Student Materials and Curriculum

The standard N&ST course includes bound student workbooks covering all presented topics, with recommended additional reading. At your option, N&ST will administer a final exam to gauge students’ absorption of the material.

Secure Software Development for Programmers Course Outline

Module One

  1. Introduction
  2. Security Overview
    1. Terminology
    2. Key Concepts
  3. Security Policy
    1. Fundamental Definitions
    2. Classification
    3. Criticality
  4. Secure Programming Process
    1. Interpret the design
    2. Map execution flow
    3. Identify security features
    4. Define trusted modules
    5. Lay out interfaces
    6. Provide for logging and exception recording
    7. Beware borrowed and open source
    8. Code, Test and Review

Module Two

  1. The Gotchas! - Some Popular Software Attacks
  2. The 10 Guiding Principles
  3. Code Review
  4. Configuration Management
  5. Concluding Remarks
  6. Final Exam

Download this Page as a PDF



NEWS & EVENTS

ES-C2M2 Maturity Model
The Electricity Subsector Cybersecurity Capability Maturity Model, while not meant to replace NERC CIP Standards, is a common tool that can be used consistently across the industry, regardless of BPS criticality.
Download ES-C2M2 here.

February 2012 Customer Testimonial
"I have never seen our technical staff actually ask for the same consultants again and again!" - Responsible Entity in the SPP region


2013 Implementation Plan
Preparing for the new approach to this year's audit? Start with NERC's 2013 Implementation Plan.
Download 2013 CMEP.