Tags: , , , , ,

Channel: Other

Is Application Security Training Worth the Money?

Posted by Gary McGraw
February 01, 2006

Software security--sometimes called application security by the myopic--is catching on. That's good because we can certainly use less broken software in the world. But it's bad because there aren't enough knowledgeable people to build secure software. You see, the people who build software know next to nothing about security. It's no wonder they keep cranking out the security holes. One partial solution is to train your developers.

The problem is that everyone and their brother seem to be hanging up a shingle to teach about software security. Asking a potential instructor the right questions will determine whether you end up being shafted, or actually affect the way your developers build software.

BEYOND FEATURES AND BUGS

Watch out for curricula built around security features alone. Although cryptography, a prime example of a security feature, is interesting to developers, you can't just liberally apply it to solve the software security problem. Developers are trained from birth to think about features and functions. They'll think (incorrectly) that a course on security features is just what the doctor ordered. But it doesn't work that way.

It's better to teach developers about software security touchpoints such as code review with a source inspection tool and architectural risk analysis than it is to teach them about the latest glittery security software.


Page:  1 | 2 |3 |Next Page »

Related Reading

News

Most Popular

Commentary

On the Web

More Insights

White Papers

More >>

Webcasts

More >>


Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Featured Webcasts

Research and Reports

Storage Virtualization Guide
May 2012
Network Computing: May 2012

Video


WATCH: Powerbag Lets You Charge Your Phone When You ...

WATCH: MasterCard's PayPass Turns Your Phone Into A ...

WATCH: Ixia Ensures OpenFlow Hardware No Longer Unte ...


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers