Everyone involved with software development, deployment, or procurement understands that security is important. As such, it is an area that CIOs consistently identify as a top priority for new IT investment.
Most IT executives now recognize that software security is not just about security features, but also depends on security assurance. System security can be improved through good security mechanisms, but can also be undermined through faulty design or implementation.
Security bugs that allow a malicious user to bypass system security mechanisms are at best a source of concern, and take time and effort to patch. At worst, they can make a software system as vulnerable to attackers as if security mechanisms were never implemented.
Security training for developers is important because most organizations write at least some of the software they use, or customize vendor-written software. Without security training, developers are less likely to produce secure code.
It’s an unfortunate fact that most developers are not required to learn secure coding practices in school. While computer science majors are introduced to design and coding techniques that improve software performance and scalability, relatively few are exposed to secure system design principles, or taught how to avoid common coding errors that result in security bugs.
For example, many programmers would consider an explicit check on the length of an input parameter to be unnecessary and wasteful of processor cycles until they are introduced to the concept of buffer overflow—a favorite means for sophisticated hackers to introduce malicious code into a system.
Unlike developers, hackers are well aware of common design and coding errors, and are adept at finding them in other peoples’ systems. The fact that most organizations make at least some part of their operations or IT systems web-accessible makes a hacker’s job easier and safer (for the hacker).
To keep ahead of hackers, companies must make sure that their development personnel know at least a little of what hackers know, so they can avoid the types of problems hackers exploit. Formal developer training programs are an effective way to do this.
Have Standards and Teach Them
How can a company implement a security training program? Although it sounds obvious, the first requirement for effective developer security training is that a company defines what their developers need to know.
Appropriate goals for a security training program are to ensure developers understand the security standards, practices, and guidelines the company uses when developing and deploying systems—assuming such standards, practices, and guidelines exist.
It’s essential that IT organizations have standards and policies for secure software development and deployment in the first place, and security training is based on and refers to these standards.
Companies that develop software, or run their operations on internally developed software, often write detailed security guidelines specifically for that software (e.g., Oracle has written internal secure coding standards for its developers, and published security best practices deployment guidelines for internal and external customers.)
Companies that are less development-focused may choose to use security standards established by third parties. These may include government organizations such as the National Institute of Standards and Technology (NIST), private organizations such as the Center for Internet Security (CIS), the SANS Institute, and consulting firms (or practices within firms) that specialize in security.
Given Oracle’s global development organization, we instituted a self-paced, Web-based security training class for internal use. The class introduces developers to Oracle’s secure coding standards, and provides examples of coding errors gleaned from real life code examples.
Developers are required to take a knowledge test at the end of the program, and must answer a series of questions correctly in order to pass. We track the security training completion status of each developer and provide regular reports on training compliance to development management and to senior corporate management to ensure a level of security training is maintained in each organization.
Companies with smaller development organizations may consider using instructor-led training, either live or on the Web, to avoid the up front cost of a custom training application.
Some of the organizations (e.g., SANS) that create security guidelines for other companies also offer training programs that are based on, and refer to, the security guidelines they create. If a company chooses to use standards or developer training programs provided by a third party, they need to ensure that the standards and training are appropriate for their own technology and business environment.
Making it a Priority
Software development is skilled, creative work, and is inherently an expensive process. When internal project deadlines, or external product release dates grow near, software managers may be reluctant to make time for activities, like security training, which will take developers away from immediate project deliverables.
Organizations should address this problem from the top down and bottom up. For example, product executives at Oracle are briefed on the cost of security bugs in software products, which may exceed $1 million per bug just for patch development, and on the potential impact of bugs to product sales and corporate reputation.
Since every security bug avoided through improved developer knowledge pays for training several thousand developers, implementing a developer training program is a simple business decision. These classes generate results: There are many examples of developers who identified and fixed security bugs in their own code after taking the security training class.
Organizations that don’t develop software products should consider the potential costs resulting from security bugs in internally developed operations or IT software when considering security training.
Among the potential consequences of security bugs are interruption of critical business operations, corruption of critical data, theft of vital intellectual property, disclosure of sensitive customer or employee information, and failure to comply with government regulations (some of which, such as Sarbanes Oxley, make corporate executives personally liable for lack of compliance).
When compared to these costs, training costs are generally minor.
John Heimann manages Oracle’s Security Program Management team. His team participates in security initiatives across Oracle, helping to enforce security policies as well as looking for opportunities to improve Oracle’s software security assurance processes.