SlideShare una empresa de Scribd logo

Security Training: Necessary Evil, Waste of Time, or Genius Move?

Denim Group
Denim Group

Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program. Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard. Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise. This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements. The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Tecnología
1 de 32
Descargar para leer sin conexión
© Copyright 2014 Denim Group - All Rights Reserved Security Training: Necessary Evil, Waste of Time or A Genius Move?
 " ! Research From Denim Group ! February 24, 2014! John B. Dickson, CISSP ! @johnbdickson !
© Copyright 2014 Denim Group - All Rights Reserved “I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere.” Bruce Schneier 2  
© Copyright 2014 Denim Group - All Rights Reserved ! • Both trying to change behaviors! –  Target audience has more power to say “no”! –  Deadlines and releases drive training! • For developers, infrequent, but more disruptive! –  15-45 minutes vs. 2-day class ! 3   How Developer Training is Different  
© Copyright 2014 Denim Group - All Rights Reserved Yet Training is Mandated ! •  PCI DSS 3.0 ü  Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory ü  Testing Procedures: 6.5.a: Examine software development policies and procedures to verify that secure coding technique training is required for developers, based on best practices and guidance ü  Testing Procedures: 6.5.b: Interview a sample of developers to verify that they are knowledgeable in secure coding techniques ü  Testing Procedures: 6.5.c : Examine training records to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory 4  
© Copyright 2014 Denim Group - All Rights Reserved •  Harvard Business Review –  Large-scale organization development is rare –  Measurement of results is even rarer •  Workforce analytics rare –  More than 25% of survey respondents use little or no workforce analytics –  The vast majority (>61%) report their use as tactical, ad hoc, and disconnected from other key systems and processes 5   But Results Are Not Measured  
© Copyright 2014 Denim Group - All Rights Reserved •  Software development field growing 30% •  Turnover –  Industry – 14-15% –  General IT – ~20% –  Software Development – ~20 – 30% ! Sources: Bureau for Labor Statistics and Society of Human Resources Management! 6   Growth & Turnover Spur Sense of Urgency  
© Copyright 2014 Denim Group - All Rights Reserved Research Overview •  Focus: Assess the software developers depth of software security knowledge •  Purpose: To measure the impact of software security training on that level of understanding •  Survey size: 600 software developers surveyed in North America (US and Canada) •  Vertical markets represented: financial, government, retail, educational, technology, energy and healthcare segments 7  
© Copyright 2014 Denim Group - All Rights Reserved Respondent Demographics 24   23   148   53   56   128   0   20   40   60   80   100   120   140   160   #ofValidResponses" Company Size" 233   27   29   143   0   50   100   150   200   250   Software Developer! Quality Assurance! Architect! Other!#ofValidResponses" Primary Job Function" 8  
© Copyright 2014 Denim Group - All Rights Reserved Respondent Demographics Less than a Year" 10%" 1-2 Years" 8%" 2-4 Years" 12%" 4-7 Years" 11%" More than 7 Years" 59%" So#ware  Development  Experience   9  
© Copyright 2014 Denim Group - All Rights Reserved Respondent Demographics 168   86   56   27   95   0   20   40   60   80   100   120   140   160   180   None! Less than a Day! At least 1 day, but less than 2 days! At least 2 days, but less than 3 days! More than 3 days! #ofValidResponses" Previous App Sec Training" 10  
© Copyright 2014 Denim Group - All Rights Reserved §  15 Multiple Choice Quiz-Style Questions §  Targeted at Software Developers Ø  Varied by years of experience, amounts of previous training, primary job function, company industry and company size §  Distribution: Ø  Online (before and after) Ø  Hard-copy questionnaires given to instructor-led class trainees (before and after) Ø  Social media networks (sharing and some paid promotion with incentives) 11   Methodology  
© Copyright 2014 Denim Group - All Rights Reserved Hypotheses 1.  Most software developers do not have a basic understanding of software security concepts. 2.  Software security training can improve a developer’s knowledge of security concepts in the short-term. 3.  Certain industries, such as financial services, are more likely to have software developers that are already exposed to key software security concepts. 12  
© Copyright 2014 Denim Group - All Rights Reserved Sample Questions If  an  a6acker  were  able  to  view  sensi:ve  customer  records  they  should  not   have  had  access  to,  this  would  be  a(n)_______breach.       ___  Confiden3ality       ___  Integrity       ___  Availability       Authen:ca:on  is...       ___  Proving  to  an  applica3on  that  the  user  is  who  they  claim  to  be       ___  Confirming  that  the  user  is  allowed  to  access  a  certain  page  or  func3on       ___Verifying  that  the  data  displayed  on  a  given  page  is  authen3c       ___  Thoroughly  logging  all  of  a  user's  important  ac3vity     13  
© Copyright 2014 Denim Group - All Rights Reserved Sample Questions Marking  a  cookie  as  “secure”  will...       ___    Force  all  requests  that  use  the  cookie  to  use  SSL     ___    Prevent  an  aPacker  from  guessing  its  value     ___    Encrypt  it  when  sent  over  non-­‐SSL  requests     ___    Tell  the  browser  not  to  send  it  over  non-­‐SSL  requests     Which  of  the  following  will  help  protect  against  XSS?     ___    Only  accep3ng  URL  encoded  GET  parameters     ___    Not  using  any  JavaScript  in  the  applica3on     ___    Only  using  JavaScript  in  .js  files  stored  on  external  hosts     ___    Encoding  special  HTML  characters  in  data  as  it  is  rendered  to  the  page     14  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results Architects and software developers had a much higher level of knowledge than QA, yet in many organizations QA has a material role in application security 61%   56%   64%   56%   52%   54%   56%   58%   60%   62%   64%   66%   So_ware   Developer   Quality   Assurance   Architect   Other   Average  %  Correct   (Primary  Job  Func:on)   31%   22%   34%   18%   0%   5%   10%   15%   20%   25%   30%   35%   40%   So_ware   Developer   Quality   Assurance   Architect   Other   Group  Passing  Rate     (Primary  Job  Func:on)   15  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results Slightly more than half of the respondents correctly answered basic awareness questions on application but struggled with ways to operationalize appsec concepts 83%   69%   11%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   #4: Cross Site Scripting (XSS) causes malicious scripts to execute on the user's… #7: Authentication is… #15: Which of the following will help protect against XSS? Percentage That Answered Correctly 16  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results •  Almost 100 percent could define input validation, demonstrating a choppy understanding of advanced secure coding knowledge •  Nearly 90 percent correctly identified proper session IDs which is reassuring 95%   88%   84%   86%   88%   90%   92%   94%   96%   #1:  Input  valida3on  is…   #11:  What  is  an  example  of  proper   session  IDs?   Percentage That Answered Correctly 17  
© Copyright 2014 Denim Group - All Rights Reserved 59%   74%   0%   10%   20%   30%   40%   50%   60%   70%   80%   Before  Training  (All)   A_er  Training  (All)   Average  %  correct   Key Survey Results •  Retention rose by more than 25 percent after completing secure coding training 18  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results Enterprises of more than 10,000 personnel had the lowest secure coding knowledge 61%   64%   58%   60%   62%   58%   55%   56%   57%   58%   59%   60%   61%   62%   63%   64%   65%   1-­‐24   Employees   25-­‐99   Employees   100-­‐499   Employees   500-­‐2499   Employees   2500-­‐9999   Employees   10,000  or   More   Employees   Average  %  Correct   (Company  Size)   33%   39%   26%   32%   32%   19%   0%   5%   10%   15%   20%   25%   30%   35%   40%   45%   1-­‐24   Employees   25-­‐99   Employees   100-­‐499   Employees   500-­‐2499   Employees   2500-­‐9999   Employees   10,000  or   More   Employees   Group  Passing  Rate     (Company  Size)   19  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results The majority of the respondents had no prior secure coding training, which might be surprising 168   86   56   27   95   0   20   40   60   80   100   120   140   160   180   None! Less than a Day! At least 1 day, but less than 2 days! At least 2 days, but less than 3 days! More than 3 days! #ofValidResponses" Previous App Sec Training" 20  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results There was no correlation between years of experience and knowledge of secure coding highlighting the continued need for effective security training 59%   60%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   0  -­‐  7  years   More  than  7  years  experience   Average  %  Correct   Years  of  Development  Experience   Percentage  of  Correct  Answers   (Years  of  Development  Experience)   21  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results The respondents that had more than 3 days of app sec training in the past were able to answer more than half of the questions correctly 29%   15%   27%   22%   34%   0%   5%   10%   15%   20%   25%   30%   35%   40%   None   Less  than  a   Day   At  least  1   day,  but   less  than  2   days   At  least  2   days,  but   less  than  3   days   More  than   3  days   Percentage  of  group  who  correctly      answered  70%  or  more  ques:ons     Amount  of  Previous  Applica:on  Security  Training   Group  Passing  Rate     (Previous  App  Sec  Training)   59%   57%   60%   59%   63%   54%   55%   56%   57%   58%   59%   60%   61%   62%   63%   64%   None   Less  than  a   Day   At  least  1   day,  but  less   than  2  days   At  least  2   days,  but   less  than  3   days   More  than  3   days   Average  %  Score   Amount  of  Previous  Applica:on  Security  Training   Average  %  Correct   (Previous  App  Sec  Training)   22  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results 100% correctly identified where cross site scripting executes after completing training, an increase of almost 20 percentage points 83%   100%   0%   20%   40%   60%   80%   100%   120%   Before Training After Training Percentage With Correct Answers #4: Where Cross Site Scripting (XSS) Executes 23  
© Copyright 2014 Denim Group - All Rights Reserved Key Survey Results The number of respondents able to correctly identify what is application security more than doubled after training was complete 21%   55%   0%   10%   20%   30%   40%   50%   60%   Before Training After Training Correctly Identified Application Security Term 24  
© Copyright 2014 Denim Group - All Rights Reserved Software Developers Learn Differently than Companies “Teach” • Teaching methods are formalized and structured in order to be repeatable • Type of structures consist of: –  On-site & off-site classroom training –  E-learning for compliance –  Videos, webinars, etc. ! 25  
© Copyright 2014 Denim Group - All Rights Reserved Software Developers Learn Differently than Companies “Teach” • Teaching methods are formalized and structured in order to be repeatable • Type of structures consist of: –  On-site & off-site classroom training –  E-learning for compliance –  Videos, webinars, etc. ! 26  
© Copyright 2014 Denim Group - All Rights Reserved So How Do Developers Learn? •  Informally and in an unstructured way via:! •  Blogs & RSS feeds ! •  Social media with emphasis! •  Developer websites! •  Influential e-mail lists! •  Safarionline! 27  
© Copyright 2014 Denim Group - All Rights Reserved Don’t Ignore Basics of Training • Refresher training is still needed! • Training must be included in performance plans ! • Managers increasingly want an ROI! 28  
© Copyright 2014 Denim Group - All Rights Reserved Incentives Matter! ! 29  
© Copyright 2014 Denim Group - All Rights Reserved •  Software developers still largely do not understand key software security concepts •  73% of respondents “failed” the initial survey •  Average score of 59% before training •  However, software developers’ understanding of key software security concepts did increase after training •  QA staff struggled to understand software security concept vs. architects and software developers 30   CONCLUSION  
© Copyright 2014 Denim Group - All Rights Reserved Where do we Go from Here? 31  
© Copyright 2014 Denim Group - All Rights Reserved 
 
 " "Questions and Answers?" ! ! !John B. Dickson! ! !@johnbdickson! ! !john@denimgroup.com! 32  

Recomendados

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 

Recomendados

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016Mateo Martinez
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 

Más contenido relacionado

La actualidad más candente

Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 

La actualidad más candente (20)

Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 

Destacado

The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016Mateo Martinez
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Security guard training
Security guard trainingSecurity guard training
Security guard trainingRobert Jack
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Security Officer Training Manual
Security Officer Training ManualSecurity Officer Training Manual
Security Officer Training ManualScott Warner
 
Security training 2017
Security training 2017Security training 2017
Security training 2017Cindy Tillery
 
Safety (Security) Training
Safety (Security) TrainingSafety (Security) Training
Safety (Security) Trainingworksteadc
 
(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014
(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014
(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014Amazon Web Services
 
Security Training at CCSF
Security Training at CCSFSecurity Training at CCSF
Security Training at CCSFSam Bowne
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Security Training Emergency Management Class
Security Training Emergency Management ClassSecurity Training Emergency Management Class
Security Training Emergency Management ClassRoger Wilco
 
ISPS: Security Awareness Training / Designated Security Duty
ISPS: Security Awareness Training / Designated Security DutyISPS: Security Awareness Training / Designated Security Duty
ISPS: Security Awareness Training / Designated Security DutyCapt Moin Uddin
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptFaheem Ul Hasan
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk ManagementRamiro Cid
 

Destacado (18)

The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
 
Security guard training
Security guard trainingSecurity guard training
Security guard training
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
Security Officer Training Manual
Security Officer Training ManualSecurity Officer Training Manual
Security Officer Training Manual
 
Security training 2017
Security training 2017Security training 2017
Security training 2017
 
Safety (Security) Training
Safety (Security) TrainingSafety (Security) Training
Safety (Security) Training
 
(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014
(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014
(ENT305) Develop an Enterprise-wide Cloud Adoption Strategy | AWS re:Invent 2014
 
Security Training at CCSF
Security Training at CCSFSecurity Training at CCSF
Security Training at CCSF
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Security Training Emergency Management Class
Security Training Emergency Management ClassSecurity Training Emergency Management Class
Security Training Emergency Management Class
 
ISPS: Security Awareness Training / Designated Security Duty
ISPS: Security Awareness Training / Designated Security DutyISPS: Security Awareness Training / Designated Security Duty
ISPS: Security Awareness Training / Designated Security Duty
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.Ppt
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
 

Similar a Security Training: Necessary Evil, Waste of Time, or Genius Move?

Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
KnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfKnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfahmad661583
 
Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?TechWell
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxtangyechloe
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Crucial Factors for Determining The Right Testing Method for Software Testing...
Crucial Factors for Determining The Right Testing Method for Software Testing...Crucial Factors for Determining The Right Testing Method for Software Testing...
Crucial Factors for Determining The Right Testing Method for Software Testing...Matthew Allen
 
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...ARC Advisory Group
 
Software Testing Statistics.pdf
Software Testing Statistics.pdfSoftware Testing Statistics.pdf
Software Testing Statistics.pdfAnanthReddy38
 

Similar a Security Training: Necessary Evil, Waste of Time, or Genius Move? (20)

Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
KnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdfKnowBe4-Presentation-Overview.pdf
KnowBe4-Presentation-Overview.pdf
 
Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Crucial Factors for Determining The Right Testing Method for Software Testing...
Crucial Factors for Determining The Right Testing Method for Software Testing...Crucial Factors for Determining The Right Testing Method for Software Testing...
Crucial Factors for Determining The Right Testing Method for Software Testing...
 
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
 
Software Testing Statistics.pdf
Software Testing Statistics.pdfSoftware Testing Statistics.pdf
Software Testing Statistics.pdf
 

Más de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Más de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Último

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Security Training: Necessary Evil, Waste of Time, or Genius Move?

  • 1. © Copyright 2014 Denim Group - All Rights Reserved Security Training: Necessary Evil, Waste of Time or A Genius Move?
 " ! Research From Denim Group ! February 24, 2014! John B. Dickson, CISSP ! @johnbdickson !
  • 2. © Copyright 2014 Denim Group - All Rights Reserved “I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere.” Bruce Schneier 2  
  • 3. © Copyright 2014 Denim Group - All Rights Reserved ! • Both trying to change behaviors! –  Target audience has more power to say “no”! –  Deadlines and releases drive training! • For developers, infrequent, but more disruptive! –  15-45 minutes vs. 2-day class ! 3   How Developer Training is Different  
  • 4. © Copyright 2014 Denim Group - All Rights Reserved Yet Training is Mandated ! •  PCI DSS 3.0 ü  Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory ü  Testing Procedures: 6.5.a: Examine software development policies and procedures to verify that secure coding technique training is required for developers, based on best practices and guidance ü  Testing Procedures: 6.5.b: Interview a sample of developers to verify that they are knowledgeable in secure coding techniques ü  Testing Procedures: 6.5.c : Examine training records to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory 4  
  • 5. © Copyright 2014 Denim Group - All Rights Reserved •  Harvard Business Review –  Large-scale organization development is rare –  Measurement of results is even rarer •  Workforce analytics rare –  More than 25% of survey respondents use little or no workforce analytics –  The vast majority (>61%) report their use as tactical, ad hoc, and disconnected from other key systems and processes 5   But Results Are Not Measured  
  • 6. © Copyright 2014 Denim Group - All Rights Reserved •  Software development field growing 30% •  Turnover –  Industry – 14-15% –  General IT – ~20% –  Software Development – ~20 – 30% ! Sources: Bureau for Labor Statistics and Society of Human Resources Management! 6   Growth & Turnover Spur Sense of Urgency  
  • 7. © Copyright 2014 Denim Group - All Rights Reserved Research Overview •  Focus: Assess the software developers depth of software security knowledge •  Purpose: To measure the impact of software security training on that level of understanding •  Survey size: 600 software developers surveyed in North America (US and Canada) •  Vertical markets represented: financial, government, retail, educational, technology, energy and healthcare segments 7  
  • 8. © Copyright 2014 Denim Group - All Rights Reserved Respondent Demographics 24   23   148   53   56   128   0   20   40   60   80   100   120   140   160   #ofValidResponses" Company Size" 233   27   29   143   0   50   100   150   200   250   Software Developer! Quality Assurance! Architect! Other!#ofValidResponses" Primary Job Function" 8  
  • 9. © Copyright 2014 Denim Group - All Rights Reserved Respondent Demographics Less than a Year" 10%" 1-2 Years" 8%" 2-4 Years" 12%" 4-7 Years" 11%" More than 7 Years" 59%" So#ware  Development  Experience   9  
  • 10. © Copyright 2014 Denim Group - All Rights Reserved Respondent Demographics 168   86   56   27   95   0   20   40   60   80   100   120   140   160   180   None! Less than a Day! At least 1 day, but less than 2 days! At least 2 days, but less than 3 days! More than 3 days! #ofValidResponses" Previous App Sec Training" 10  
  • 11. © Copyright 2014 Denim Group - All Rights Reserved §  15 Multiple Choice Quiz-Style Questions §  Targeted at Software Developers Ø  Varied by years of experience, amounts of previous training, primary job function, company industry and company size §  Distribution: Ø  Online (before and after) Ø  Hard-copy questionnaires given to instructor-led class trainees (before and after) Ø  Social media networks (sharing and some paid promotion with incentives) 11   Methodology  
  • 12. © Copyright 2014 Denim Group - All Rights Reserved Hypotheses 1.  Most software developers do not have a basic understanding of software security concepts. 2.  Software security training can improve a developer’s knowledge of security concepts in the short-term. 3.  Certain industries, such as financial services, are more likely to have software developers that are already exposed to key software security concepts. 12  
  • 13. © Copyright 2014 Denim Group - All Rights Reserved Sample Questions If  an  a6acker  were  able  to  view  sensi:ve  customer  records  they  should  not   have  had  access  to,  this  would  be  a(n)_______breach.       ___  Confiden3ality       ___  Integrity       ___  Availability       Authen:ca:on  is...       ___  Proving  to  an  applica3on  that  the  user  is  who  they  claim  to  be       ___  Confirming  that  the  user  is  allowed  to  access  a  certain  page  or  func3on       ___Verifying  that  the  data  displayed  on  a  given  page  is  authen3c       ___  Thoroughly  logging  all  of  a  user's  important  ac3vity     13  
  • 14. © Copyright 2014 Denim Group - All Rights Reserved Sample Questions Marking  a  cookie  as  “secure”  will...       ___    Force  all  requests  that  use  the  cookie  to  use  SSL     ___    Prevent  an  aPacker  from  guessing  its  value     ___    Encrypt  it  when  sent  over  non-­‐SSL  requests     ___    Tell  the  browser  not  to  send  it  over  non-­‐SSL  requests     Which  of  the  following  will  help  protect  against  XSS?     ___    Only  accep3ng  URL  encoded  GET  parameters     ___    Not  using  any  JavaScript  in  the  applica3on     ___    Only  using  JavaScript  in  .js  files  stored  on  external  hosts     ___    Encoding  special  HTML  characters  in  data  as  it  is  rendered  to  the  page     14  
  • 15. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results Architects and software developers had a much higher level of knowledge than QA, yet in many organizations QA has a material role in application security 61%   56%   64%   56%   52%   54%   56%   58%   60%   62%   64%   66%   So_ware   Developer   Quality   Assurance   Architect   Other   Average  %  Correct   (Primary  Job  Func:on)   31%   22%   34%   18%   0%   5%   10%   15%   20%   25%   30%   35%   40%   So_ware   Developer   Quality   Assurance   Architect   Other   Group  Passing  Rate     (Primary  Job  Func:on)   15  
  • 16. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results Slightly more than half of the respondents correctly answered basic awareness questions on application but struggled with ways to operationalize appsec concepts 83%   69%   11%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   #4: Cross Site Scripting (XSS) causes malicious scripts to execute on the user's… #7: Authentication is… #15: Which of the following will help protect against XSS? Percentage That Answered Correctly 16  
  • 17. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results •  Almost 100 percent could define input validation, demonstrating a choppy understanding of advanced secure coding knowledge •  Nearly 90 percent correctly identified proper session IDs which is reassuring 95%   88%   84%   86%   88%   90%   92%   94%   96%   #1:  Input  valida3on  is…   #11:  What  is  an  example  of  proper   session  IDs?   Percentage That Answered Correctly 17  
  • 18. © Copyright 2014 Denim Group - All Rights Reserved 59%   74%   0%   10%   20%   30%   40%   50%   60%   70%   80%   Before  Training  (All)   A_er  Training  (All)   Average  %  correct   Key Survey Results •  Retention rose by more than 25 percent after completing secure coding training 18  
  • 19. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results Enterprises of more than 10,000 personnel had the lowest secure coding knowledge 61%   64%   58%   60%   62%   58%   55%   56%   57%   58%   59%   60%   61%   62%   63%   64%   65%   1-­‐24   Employees   25-­‐99   Employees   100-­‐499   Employees   500-­‐2499   Employees   2500-­‐9999   Employees   10,000  or   More   Employees   Average  %  Correct   (Company  Size)   33%   39%   26%   32%   32%   19%   0%   5%   10%   15%   20%   25%   30%   35%   40%   45%   1-­‐24   Employees   25-­‐99   Employees   100-­‐499   Employees   500-­‐2499   Employees   2500-­‐9999   Employees   10,000  or   More   Employees   Group  Passing  Rate     (Company  Size)   19  
  • 20. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results The majority of the respondents had no prior secure coding training, which might be surprising 168   86   56   27   95   0   20   40   60   80   100   120   140   160   180   None! Less than a Day! At least 1 day, but less than 2 days! At least 2 days, but less than 3 days! More than 3 days! #ofValidResponses" Previous App Sec Training" 20  
  • 21. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results There was no correlation between years of experience and knowledge of secure coding highlighting the continued need for effective security training 59%   60%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   0  -­‐  7  years   More  than  7  years  experience   Average  %  Correct   Years  of  Development  Experience   Percentage  of  Correct  Answers   (Years  of  Development  Experience)   21  
  • 22. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results The respondents that had more than 3 days of app sec training in the past were able to answer more than half of the questions correctly 29%   15%   27%   22%   34%   0%   5%   10%   15%   20%   25%   30%   35%   40%   None   Less  than  a   Day   At  least  1   day,  but   less  than  2   days   At  least  2   days,  but   less  than  3   days   More  than   3  days   Percentage  of  group  who  correctly      answered  70%  or  more  ques:ons     Amount  of  Previous  Applica:on  Security  Training   Group  Passing  Rate     (Previous  App  Sec  Training)   59%   57%   60%   59%   63%   54%   55%   56%   57%   58%   59%   60%   61%   62%   63%   64%   None   Less  than  a   Day   At  least  1   day,  but  less   than  2  days   At  least  2   days,  but   less  than  3   days   More  than  3   days   Average  %  Score   Amount  of  Previous  Applica:on  Security  Training   Average  %  Correct   (Previous  App  Sec  Training)   22  
  • 23. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results 100% correctly identified where cross site scripting executes after completing training, an increase of almost 20 percentage points 83%   100%   0%   20%   40%   60%   80%   100%   120%   Before Training After Training Percentage With Correct Answers #4: Where Cross Site Scripting (XSS) Executes 23  
  • 24. © Copyright 2014 Denim Group - All Rights Reserved Key Survey Results The number of respondents able to correctly identify what is application security more than doubled after training was complete 21%   55%   0%   10%   20%   30%   40%   50%   60%   Before Training After Training Correctly Identified Application Security Term 24  
  • 25. © Copyright 2014 Denim Group - All Rights Reserved Software Developers Learn Differently than Companies “Teach” • Teaching methods are formalized and structured in order to be repeatable • Type of structures consist of: –  On-site & off-site classroom training –  E-learning for compliance –  Videos, webinars, etc. ! 25  
  • 26. © Copyright 2014 Denim Group - All Rights Reserved Software Developers Learn Differently than Companies “Teach” • Teaching methods are formalized and structured in order to be repeatable • Type of structures consist of: –  On-site & off-site classroom training –  E-learning for compliance –  Videos, webinars, etc. ! 26  
  • 27. © Copyright 2014 Denim Group - All Rights Reserved So How Do Developers Learn? •  Informally and in an unstructured way via:! •  Blogs & RSS feeds ! •  Social media with emphasis! •  Developer websites! •  Influential e-mail lists! •  Safarionline! 27  
  • 28. © Copyright 2014 Denim Group - All Rights Reserved Don’t Ignore Basics of Training • Refresher training is still needed! • Training must be included in performance plans ! • Managers increasingly want an ROI! 28  
  • 29. © Copyright 2014 Denim Group - All Rights Reserved Incentives Matter! ! 29  
  • 30. © Copyright 2014 Denim Group - All Rights Reserved •  Software developers still largely do not understand key software security concepts •  73% of respondents “failed” the initial survey •  Average score of 59% before training •  However, software developers’ understanding of key software security concepts did increase after training •  QA staff struggled to understand software security concept vs. architects and software developers 30   CONCLUSION  
  • 31. © Copyright 2014 Denim Group - All Rights Reserved Where do we Go from Here? 31  
  • 32. © Copyright 2014 Denim Group - All Rights Reserved 
 
 " "Questions and Answers?" ! ! !John B. Dickson! ! !@johnbdickson! ! !john@denimgroup.com! 32