While there is debate around whether or not end-user security awareness training is worth it, what's most definitely worth it is security training for developers.
With the increase in open source adoption and the dizzying amounts of frameworks that are in use, the only way to stay ahead of the security curve is to understand how to assess application risk and how common vulnerabilities make their way into the codebase.
Training can be a major investment for most organizations. The five points below will enable you to make the most of any security training before, during, and after.
Understand What the Training Covers
Almost every security consultancy sells training of some sort. Some offer a general security awareness course targeted for anyone at the organization, while others are very implementation specific. It's important to understand that, when assessing a training course that's software-development specific and covers the core technologies developers are currently using in the organization.
Most on-site trainings run about two full days. What should a good training course cover? At the very least, if I were purchasing training for a development team, I'd want the following covered for web-based security:
The OWASP Top Ten web vulnerabilities
Threat modeling with hands-on work
Integrating security in the development lifecycle
Coverage of the OWASP Top Ten is important. The list of the top ten web application vulnerabilities has become an industry standard and represents the most common application security risks. This serves as the basis for a lot of security testing and a lot of security training focuses primarily on this coverage. Security training isn't all about vulnerabilities though. While understanding how to protect applications from vulnerabilities is critical, developers also need to understand the risks the vulnerability poses. Assessing risk can be achieved through the threat modeling process. This is discussed below as it's an essential part of any security practice. No discussion of application security can be complete without also discussing how to integrate security practices into the development cycle. Knowing how to apply security automation is a crucial topic. If it isn't done right, it'll cause friction and create animosity toward the security practices.
Mobile and Web Security Training Are Not the Same
A course for web-based security training is important for any developer. However, it just isn't going to cover topics specific to mobile security. If your organization builds mobile applications, it's worthwhile to have a separate training that covers mobile security targeting the iOS and/or Android platforms.
The reason for this is that, while there is some crossover from the web world to the mobile world, much of mobile security is more like building desktop applications. Some of the risks are inherently different than building a web application and need to be discussed and explored. For example, certificate pinning is a security control that should be in place for most mobile applications to add additional protection to communications between the mobile application and supporting web services. From the perspective of a web application, this isn't an issue. Issues can also arise from improper usage of platform features, such as storing user passwords in the incorrect place. Secure data storage on the mobile platform is another area that presents many problems.
Just like the top ten web application security risks, the OWASP organization also publishes a similar list for mobile applications.
Understand the Technical Requirements
Training is expensive and there's generally limited time to run the course. Since every training is different, it's important to understand what the technical requirements are. Does the training course require attendees to be able to run a virtual machine? Get a copy of the virtual machine to distribute ahead of time if possible. What applications will attendees need? Common security testing tools like OWASP ZAP or Burp Suite require Java to also be installed. Is this a problem? If so, make sure the trainer knows this. What about network connectivity? Is the trainer going to need attendees to access an external application? Can this be white-listed ahead of time?
No one wants to spend time the morning of training dealing with technology issues. While some of it is unavoidable, minimizing this as much as possible will make everything much smoother. Don't assume anything, and make sure that technical requirements are fully understood and can be met. The only effective training courses are ones where the attendees are able to follow along with demos and get hands-on experience. No one wants to sit in a lecture for two work days.
Security Skills Require Ongoing Practice
Security is a skill, and just like any other, it takes practice. Keeping up with vulnerabilities and current research is difficult and time-consuming. The particular manifestation of a vulnerability in one framework can be completely different in another.
A common example of this is cross-site scripting (XSS). Cross-site scripting occurs when an application doesn't output encode data in the correct way. Many modern frameworks apply output encoding automatically. However, there are still a few instances in which data may be sent to the client without proper encoding. If this happens it may result in an exploitable XSS vulnerability. This is why it's important to ensure training covers the frameworks the developers are using. Understanding the particulars across different frameworks in play within any organization is not trivial.
Application security is not easy, and no training course is going to be able to cover everything. It should leave attendees with enough information to start applying to their day-to-day development. It needs to also serve as a basis for further study and understanding.
The OWASP Application Security Verification Standard (ASVS) is a great place for developers to start. This guide is a self-assessment style checklist that enables developers to identify areas in their application that may need further security guidance. Along with the top ten security risks and ASVS, OWASP also publishes the corresponding Top Ten Proactive Controls. This focuses on what developers can do to protect against the OWASP top ten security risks.
Application security is at the forefront of security and is not going anywhere. Any effort invested in learning more and keeping up with current trends is well worth the time and money.
Threat Modeling Is Important for Understanding Risk
Based on surveys conducted by Carve during training sessions, developers often overestimate their ability to estimate risk. Developers usually have a good hunch for where to focus security efforts but don't fully understand trust boundaries. For example, many developers assume that because the database they are communicating with is within their network that it can be trusted. This isn't necessarily so, as when data leaves one application for processing by another, it crosses a trust boundary. Identifying proper trust boundaries is a skill that takes a bit of practice to fully grasp. Failure to understand where a trust boundary is can lead to underestimating the risk posed by a vulnerability.
Threat modeling is an invaluable tool for looking at an application and its constituent parts to understand what threats may affect it and to what extent. Without a process to understand and evaluate threats, decisions regarding proper security controls can't be made. Threat modeling comes into play during prioritization of issues as well. When evaluating a high-severity issue, where the issue occurs and what it affects may make it less of a priority than another high-severity issue.
A prime example of this is one vulnerability that may allow unauthorized data retrieval as opposed to a vulnerability that allows account access. Vulnerabilities aren't always black and white and the context in which they occur needs to be considered. In this case, the unauthorized data retrieval may take precedence, but depending on the exact nature of both vulnerabilities, the account access issue may be the real threat. Threat modeling aids in this understanding.
During a security training is a great time to introduce threat modeling. Threat modeling is most effective when done in a group, and the training provides the perfect context to get started.
Enjoy Your Training!
Security training and education are major parts of ensuring that applications are written with security in mind. Security has to come from the ground up. Training is a great opportunity to talk to consultants who are actively testing and securing applications across a wide variety of industries and technologies.
In order to get the most of your training, ask questions, take it seriously, and most importantly, enjoy the time and have fun!
Author: Casey Dunham