Can AppSec Training Really Make a Smarter Developer?

Presented at AppSec USA 2013, Nov. 20, 2013, 11 a.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=jUOecoGGA2g&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=40 Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program.   Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard.  Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise. This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training.  The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.  The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time.  The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Presenters:

  • John Dickson - Principal - Denim Group
    John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at other international security conferences. He is a sought-after security expert and regularly contributes to Dark Reading and other security publications. A Distinguished Fellow of the International Systems Security Association, he has been a Certified Information Systems Security Professional (CISSP) since 1998. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives.

Links: