Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

If you want developers to give a hoot about security, take a lesson from the squirrels

Kenneth van Wyk | June 24, 2014
The problem with all too many software developers, from a security professional's point of view, is they lack a healthy sense of mistrust.

And how do we get developers to emulate squirrels? One answer might be to expose them to a knowledge base of security issues in a way that they can internalize. Don't hand them a bunch of papers on SQL injection, XSS, etc., and hope for miracles.

I've found that developers, like most people, learn best by hands-on experience. I like exposing them to tools like OWASP's venerable WebGoat and having them work through exercises where they perform attacks like SQL injection and XSS themselves. Once they see what can go wrong when untrustworthy data inputs poison an application and get the application to misbehave in sometimes spectacular ways, they tend to internalize the issues thoroughly.

Most computer scientists that enter the workforce are not exposed to much in the way of security training, if any at all. When you hire these folks, invest the time and energy to show them firsthand what can go wrong. When they can see those sorts of things with their own eyes, they're far more likely to have the right sort of attitude about software security. You'll end up not just developers who act a bit like squirrels (in a good way), but like highly sarcastic squirrels, who will look at the requirements for a very cool piece of software, roll their eyes and say, "What could possibly go wrong?".

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.