Security training for developers
09:00 Thursday, 09 September 2021
UK Cyber Security Council
A web search for the term “security training for developers” returns a wide variety of results: “Software Development Security” from Pluralsight, “Developer Security Awareness Training” from SANS, “Security Code Training for Application Development” from Outpost 24 … the list is endless, allegedly running to a count of 488 million.
Such a wealth of available training does make one wonder: are we not, then, teaching security techniques when we teach people how to write software?
The answer is: yes - but probably not enough for this day and age unless teaching a lengthy course that concentrates solely on software development. It’s a certainty, for instance, that the average university Computer Science course just doesn’t have the capacity to do more than scratch the surface when teaching programming to undergraduates. If we work on the premise that programming classes take a third of a student’s first year, and that a computer science course involves perhaps 30 hours a week of teaching and self-study, and that the teaching year comprises 30 weeks, that makes 300 hours of programming over the course of the year. The breadth of material is vast - learning the syntaxes of the languages themselves, data structures, loops, functions, procedures, pre-processor directives, recursion, the list goes on. In the average case, secure development will make up just a few hours of the year.
This simply won’t be enough when one considers the vastness of the security challenge faced by developers: securing client-server systems, defending against buffer overflow attacks, validating user input, watching for number truncation, avoiding race conditions, and so on. If one is to pursue a career as a developer, expect to undergo further training on key elements such as security.
If this sounds like a criticism of universities, incidentally: nothing could be further from the truth. Computer Science courses aren’t intended to churn out top-class developers, but instead are designed to give a good level of knowledge in a wide variety of key topics, perhaps with a slightly deeper understanding of two or three subject areas which is imparted thanks to the optional modules taken in years two and three.
As security professionals and employers we must remember this, acknowledge it, and ensure that where someone embarks on a career as a developer, we deal with the fact that they don’t know everything there is to know about security in software development… and make use of the 488 million options the internet insists are there to fill the gaps.