Monday 23 April 2012

Why should a developer care about security training?

I was asked this question via SI (who has a bunch of application security focused CBT course) and since google was not able to find a good answer, here are my views on this.

Firstly I want to say that I have the utmost respect for developers who ship-code (even before I became one). I have done a lot of developer training, and always took the view that blaming the developers for security problems was making the developers a scape-goat, there are far too many moving parts in the development of Secure Coding, and the developer is just one of them.

And although I argue that Secure coding (and Application Security) must be invisible to developers, it doesn't mean that developers should not be aware of it and should not learn about it.

They absolutely should, since just like Quality and Testing, security is the responsibility of everybody that writes code (see Security evolution into Engineering Productivity).

So why why should a developer care about security training? Here are my top reasons:

  • Increase Knowledge
  • Learn new Tricks and Techniques
  • Improve Testing Skills
  • Improve Productivity
  • Improve Career
  • Have Fun
  • Learn the 'Application Security' language
  • Write more robust code
  • Write more secure code
Let's expand on these:

Increase Knowledge:  
The security field is filled with amazing techniques to break or protect an application's security.

I remember being massively impressed when I really figured out how Buffer Overflows, SQL Injection , XSS or CSP actually worked. There is so much to learn on this field and in a lot of cases we are really looking at pure knowledge.

Developers usually tend to have a focused approach on their learning paths, and security is more about the entire ecosystem, where the whole depends on the security of the parts (and how their interact).

Learn new Tricks and Techniques
This is something I can completely relate, since I am a much better .NET/Web developer due to my security research.

I feel I have a 3D view of the CLR and Browser/Http/Server world, and when I have a problem my bag of tricks (even before O2) is enormous

Improve Testing Skills
More and more Security is connected with Testing and UnitTests, and a lot of the code created by security analysis, can (and should) be reused in Testing.

One area that is often overlooked when talking about secure coding, is the need to have tests that validate the assurance made: " this XYZ code is secure ??? ok prove it!  ok... what about in 6 months time, will it still be secure?"

Improve Productivity
The developers should pay very close attention to the tools and techniques used in the application security world, since they can help to solve a lot of problems and increase their productivity.

What I like the most about the Security evolution into Engineering Productivity concept, is that it uses Testing/Security as a was to push Engineering excellence into an application (and improve the developer's productivity).

Improve Career
There is a MASSIVE career opportunity for the developers that are able to pick up application security skills. Not only they will become much better developers, they can also become the 'internal security expert' which is role that needs to happen in all development teams.

They will also be able to join security teams or companies (who cannot find enough resources to hire), since it is much easer to teach a developer security, than it is to teach development to 'security professional'

Have Fun
Both exploiting and fixing code is a lot of fun. There is a kind of wild-wide-west/game environment, and when thing work, the feeling is just amazing 

Why do you think that the application security field is made of much passionate crowed, for example look at these 180 crazy ones from OWASP that went all the way to Portugal to work non-stop on Application Security issues

Learn the 'Application Security' language
The Application security field is really good at coming up with crazy names (XSS, CSRF/XSRF, Frame-jacking, SQLi, Off-by-One, AutoBinding/OverPosting, etc...), and its always good to have an idea of what the other side is talking about (same thing happens on the reverse, and I will be wary of a 'application security expert' that doesn't know what TDD, Git or MVC is)

Write more robust code
The end result, is that the new security techniques/knowledge will make the developers actually write more robust code, which will be tested much more thoroughly and harder to break

Write more secure code
And finally, what will also happen, is that we will end up with more secure code. A developer with Security Knowledge has a much better view of the side-effects of the code he/she is writing and is able to code in much stronger/safer paths.

... final comment: if it is mandated, make the most out of it....

Sometimes a developer will find itself in a position where there is a mandate to take 'Security Training' and there is no way out. I would say that those developers should remember that 'in life usually you cannot change your tasks, but you can always change your attitude in executing those tasks'. Security training should be seen as an opportunity, and it's on the developer's best interest to make the most out of the investment made in his/hers education