Training development staff in secure coding practices pays huge dividends

Tuesday, November 25, 2008
Original Source:

Hi, this is Evelyn Sell. I am a Senior Principal Program Manager in Oracle Global Product Security. My primary function is in the security compliance area, helping to ensure that the various development organizations follow Oracle Software Security Assurance policies. This includes managing secure coding training that is based on Oracle’s Secure Coding Standards.

I am often asked what it takes to write secure code. In my experience, developers generally cannot prevent introducing security flaws in their code if they don’t know what to watch out for. It is also my experience that people generally, and developers in particular, want to do the right thing - but they need to know what the right thing is.

For the purpose of this blog, we will not go into why software security is important. That is pretty much common knowledge by now. However, there is a significant paradox in that writing secure code is not commonly taught at the Universities as part of Computer Science curriculum. In a previous blog entry, Mary Ann Davidson expressed the difficulties faced by software vendors such as Oracle to find developers with secure development expertise. Universities typically do not teach secure coding to their IT grads.

Even if secure coding skills were taught in schools, there is already a large pool of software professionals who have been writing code for some time and would not be security aware unless their company rolled out secure coding practices training. Thus, until the need for security training has been met externally by the education system for some time, it falls on software vendors to train their staff. The cold, hard fact is that coding responsibly means knowing how.

At Oracle, mandatory security training has been in place for several years and is fully supported by executive management. The majority of development staff across Oracle has completed the training. New hires, or staff joining Oracle via acquisitions, are automatically notified of the mandatory security training requirement, as applicable.

In my experience, I have noticed that some developers expect their product to be used in the way in which it was intended; thinking “Why would anyone do anything different?” Well, for one, software users (customers) are typically not involved in the design and development phases of the product, and as such, the use cases anticipated by development may be somewhat different from how the software is used in “real life”. Security researchers and malicious hackers will not feel bound to use the product in the way intended by developers: they will explore avenues to break in, in ways that the developer did not foresee. For example, a malicious attacker may attempt to inject SQL commands hoping to demonstrate that the developers didn’t provide for sufficient input validation (best case scenario), or, in a worst case scenario, the attacker may try to gain access to the data or gain additional database privileges. In addition, QA testers are inherently focused on ensuring that the product works as it is supposed to whereby in many instances, security researchers and malicious hackers will do exactly the opposite with “negative” or “destructive” testing. Actually, in many ways, the job of the security researcher is to explore the boundaries outside of the normal use of software. An important aspect of security training is to help developers become security aware by teaching them to “think like a hacker”.

With appropriate training in secure coding principles development staff will be better prepared to guard against software vulnerabilities and understand that users will not always adhere to use cases and recommended “best practices”. In many ways, security trained developers become aware of the unintended consequences that may result from choosing the easy way to solve a particular coding problem and leaving their code exposed to exploits. Secure development training helps prepare developers and QA staff to recognize potential security risks in code they encounter in the larger stack. A desired result of security training is seeing development teams log security bugs against their own code because they are now aware of the existence of such bugs. With appropriate training every team member becomes a security advocate in his/her own right, an additional gatekeeper who helps contribute to the increased quality of the code produced by his/her own team.

An additional benefit to secure coding training is helping to increase the overall quality of the code produced: most often security bugs are really common coding errors, but with far more serious consequences than “regular” bugs. We can generally see that secure coding training results in helping developers not only avoid potential security flaws, but also prevent other kinds of bugs as well.

Just as security training is essential for developers, it is equally essential that senior development managers are trained to help ensure that they make the right decision when allocating resources and especially to resist “shortcuts” when facing time pressure: a secure coding solution may take longer than an easier, yet insecure, one and it is not uncommon that fixing a security bug can results in introducing delays in the release schedule.

I am often asked at conferences what was the key success factor in successfully rolling out secure coding training to an organization as large and diverse as Oracle. In my mind, and without a doubt, I think that executive management buy-in is the most critical success factor. The benefits of secure coding training must be understood and endorsed from the top down. Executive management must fully support and mandate the application of the secure coding standards. Senior development managers must be trained to be security aware and be willing to sponsor the adoption of the secure coding practices in their teams. The development staff must become aware of these standards, be security trained, and ultimately embrace secure coding principles as a value-add to their work product.

Oracle sees much value in security training. The cost of resource time spent on training is small when compared to the cost of testing and installing just one security fix. Security training does change developer behavior: quality of code improves along with the security posture provided by the software. The most rewarding aspect of my job is seeing feedback from developers such as: “The course is invaluable. Now that our group has completed the training we think more about security when coding.”

General Webappsec->General
Post Rating I Like this!
avelin injector