Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Is Application Security Training Worth the Money?

Software security--sometimes called application security by the myopic--is catching on. That's good because we can certainly use less broken software in the world. But it's bad because there aren't enough knowledgeable people to build secure software. You see, the people who build software know next to nothing about security. It's no wonder they keep cranking out the security holes. One partial solution is to train your developers.

The problem is that everyone and their brother seem to be hanging up a shingle to teach about software security. Asking a potential instructor the right questions will determine whether you end up being shafted, or actually affect the way your developers build software.

BEYOND FEATURES AND BUGS

Watch out for curricula built around security features alone. Although cryptography, a prime example of a security feature, is interesting to developers, you can't just liberally apply it to solve the software security problem. Developers are trained from birth to think about features and functions. They'll think (incorrectly) that a course on security features is just what the doctor ordered. But it doesn't work that way.

It's better to teach developers about software security touchpoints such as code review with a source inspection tool and architectural risk analysis than it is to teach them about the latest glittery security software.

  • 1