Non-profit organization SAFECode unveiled a series of new training modules to help enterprises train software developers in-house to write secure code.
The free software security training program from the Software Assurance Forum for Excellence in Code (SAFECode) will help developers learn security principles and methods to write more secure applications, the organization said Tuesday. SAFECode’s training modules are not intended to compete with certification programs offered by organizations such as ISC2, but will address gaps in security engineering knowledge among software developers, SAFECode said.
“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs,” Howard A. Schmidt, executive director of SAFECode and former White House cyber-security coordinator, said in a statement.
Recent reports from WhiteHat Security, Cenzic, and Veracode highlighted the challenge organizations face developing secure applications. Cenzi’s 2013 Application Vulnerability Trends Report found that 99 percent of applications one or more vulnerabilities, and the median number of vulnerabilities was 13. Veracode’s recent State of Software Security report found that 87 percent of applications did not meet OWASP Top 10 compliance on the first try.
Many of those same applications also fail the SANS Top 25 and frequently do not comply with internal policies, Veracode found. Many of the flaws were well-known issues, such as SQL injection and cross-site scripting. WhiteHat Security earlier this month reported that information leakage errors were identified in 55 percent of Websites analyzed by the company’s Sentinel platform. Content spoofing vulnerabilities were found in 33 percent of the sites, and 53 percent had cross-site scripting errors, WhiteHat said in the report.
“Security training is most effective when aligned to an organization’s unique culture and security development process,” but “not every organization has the resources required to develop custom training,” Schmidt said.
On launch, SAFECode’s training courses cover only introductory level topics, such as preventing SQL injection and avoiding cross-site request forgery, but the organization plans to include additional courses on an ongoing basis. The catalog will eventually offer security engineering training courses for all levels. SAFECode will also include resources such as advice on how to implement training programs.
The courses will be delivered via on-demand Webcasts and are designed to be used as building blocks for enterprises interested in creating an in-house training program. Enterprises will also be able to pick and choose the modules relevant to their development environment, Schmidt said. Enterprises can also use SAFECode’s courses to either supplement an existing training program, or build a brand-new one from scratch.
SAFECode’s program is based on training materials used internally at Adobe Systems as part of its software security program. A team of technical contributors from companies which are members of SAFECode reviewed the materials donated by Adobe and added additional elements to ensure the program could be applied across a broad range of development environments.
Brad Arkin, Adobe’s new chief security officer, has been a frequent proponent of increasing the cost of development for malware authors. Adobe’s development team have focused on implementing multiple defensive mechanisms and making sure common software weaknesses are not in Adobe’s code, Arkin told SecurityWeek in an earlier interview. Software will never be perfect, and it isn’t possible to find and fix all bugs, Arkin said.
Adobe’s focus is to address common weaknesses and implement defensive mechanisms that can slow down attackers to increase the chances of detecting the attack in progress, Arkin said. All of these layers of defense drives up the costs for the exploit authors by making it harder to craft an attack, he added.
Visit https://training.safecode.org for more information about the free courses.