Secure Development Training – Learning from Failure

Why do developers need secure development training as well as their regular training? The answer to that starts with a side trip into the aviation world.

Have you ever wondered why the windows on commercial airliners have rounded corners instead of square ones?

In the 1950s when jet service was fairly new there were a series of crashes of de Havilland DH 106 Comets, the first production commercial jetliner. During the investigations into the crashes it was discovered that the hulls experienced metal fatigue, something that was little understood at the time, and could fail catastrophically. As the cabin was pressurized and depressurized over and over and encountered repeated changes in temperature while changing altitude it cause metal fatigue that weakened the structure. In some areas of the structure there were special stress points that experienced more problems than others. One of these special stress points were the corners of the square cornered windows on the original versions of the Comet. The square corners caused levels of stress two to three times greater than the rest of the fuselage. The metal was going to fail after a number of flight cycles with one of the crashes coming from as few as 900 flights. Continue reading “Secure Development Training – Learning from Failure”

Developers Need Secure Development Training

Why do developers need secure development training as well as their regular training?

There is an old joke about 50% of doctors graduating in the bottom half of their class. It’s kind of a sobering thought but it’s true of all fields. The software development field has an additional burden in the fact that many developers come to the profession from other disciplines and never formally studied software development at all. They started programming for one reason or another and decided they liked doing so they stayed. Read some books, take a few classes and start writing code.

They can do this in part because development is still more of a creative process than a rigorous engineering process. Many developers consider themselves artists. Developers are mostly focused on creating something that works. They take known processes and procedures and put them together in new and creative ways to accomplish their tasks. We are adding more engineering type rigor to the process but we a long way from other engineer fields. Continue reading “Developers Need Secure Development Training”

Burp Suite Tutorials

I don’t recall PortSwigger’s Burp Suite being around the last time did much web application testing. It may have been but I do not recall it and I did not use it. I am using it now and of course that means getting to know a new tool. While I’m waiting for some of Burps tests to run, I figure I’d give a shout out to the best of the Burp Suite tutorials I’ve found out there. Security Ninja has some excellent ones.

Burp Suite Tutorial – Sequencer Tool

Burp Suite Tutorial – Intruder Tool

Burp Suite Tutorial – Repeater and Comparer Tools

Overcoming Our Training

You often hear that training is a key piece of secure software development and it is. On the other hand I like to flip things around a bit and point out that another key is overcoming our training.

It may seem counter intuitive but we have to overcome our training. Not our secure development training but a lot of our other development training.

Have you ever heard the old joke that half the doctors out there graduated in the bottom half of their class? We have the same problem in the development world but with an added burden. Not all developers studied computer science or any other related degree in college. They come to the profession from other fields where they learned to program for some reason and decided they liked it. But like doctors in that joke, half of us are below average when it comes to our training.

A lot of our training created bad habits. I like to quote a computer science professor of mine from back in the mid 80s. The lesson was not hard so some of us set off to add bells and whistles to the assignment. The instructor told us “forget that extra stuff and just focus on the lesson.” Translation, get it to work and move on. Lesson learned and it wasn’t good. There is a whole lot of get it to work and move on in the software world. When I gave a talk that touched on this at an ISSA conference a few years ago some members of the audience who were current computer science majors came up afterwards and said their instructors are still telling them to focus on the lesson and forget about the extra stuff. Bad habits still being taught. Continue reading “Overcoming Our Training”