Are companies actually putting money into training software developers for security? The smart ones are. Security researchers from Information Security Decisions 2008 discuss secure application coding and the best ways to teache secure practices to young software developers.
Panelists include Alexander Sotirov from VMware, Dave Aitel of Immunity Security Inc, Billy Hoffman of HP and Matasano Security's Tom Ptacek.
Watch all the videos from Information Security Decisions 2008.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
The importance of secure software development training
Interviewer: How many people are actually taking that dollar and putting it into training and developers?
Tom Ptacek: The smart ones are. The smartest ones are not just training, the smartest ones have a program set up so that they issue, and not crazy awesome training not like every developer is going to come out of there knowing how to write the grammar for SQL, right. Simple stuff, right. Run a simple training course across all of your developers and track before and after what the defect rate is. And see what works and see what doesn't work. That's management, hard to do but that's we have to actually do it instead of chasing those words.
Billy Hoffman: And I think that lends itself to the idea that if you just treat security vulnerabilities as software defects, right. So SQL injection, you're right, you don't have to be crazy with SQL, teach them how to use parameterized SQL quarries. That's take care of a lot of the issues right there.
I mean, there's a lot, just the way that there's lots of very easy ways to get the Web app, there's fairly low hanging security training you can give these developers that will, because there's so many other problems, you know, it's the whole like, if you're being chased by a tiger and you're in a group you don't have to be the fastest runner you just have to be faster than the slowest person.
I think that you should put these training dollars in. And you can get, you're not going to get the Microsoft level, but you're going to get to a reasonably degree of level where you're not going to be getting nailed by the people who are taking Nikto and just scanning the internet. You're going to get hit by the people like Dave, who's doing this esoteric business flow, and you're like holy crap that's beautiful, I'm kind of glad they just stole some money from me because I just learned something.
Tom Ptacek: I think you're flattered when Dave brings something to you.
Alexander Sotirov: What I'm worried about is not so much the Web so, because I do believe that we can solve both overflow problems to some extent. And we can certainly make some end rows with solving the web stuff. But I'm pretty sure that when the next cool technology comes out, you know, the next big paradigm shift, if I may use that word, when that comes around it's going to be built just as insecurely as the web world and the CNC plus world before then, so. It doesn't seem like we're really making progress in this. We're sort of running on a treadmill. Fixing one technology and then immediately replacing it with a different technology that's built the same flaw assumptions. Such as, your user is a good user and it's not going to attack you and time and time again it's proven that.
Dave Aitel: What do you think that thread is the problem? Like is thread the big issue?
Alexander Sotirov: Threads?
Dave Aitel: Yeah.
Alexander Sotirov: You mean multi-threaded issues?
Dave Aitel: Yeah.
Alexander Sotirov: I don't know. If I knew what the next big issues were, I would already be working on it.
Interviewer: Which he might be, you don't know at this point.
Alexander Sotirov: But it's also not about a specific type of vulnerability. I'm talking more about the shiv that we have now from desktop applications to Web applications and to the Cloud, I don't know what the next thing after the Cloud is going to be. Perhaps we're going to be going back to personal computers.
Dave Aitel: Or phones.
Alexander Sotirov: Or phones, yeah.
Billy Hoffman: Well you're touching on something interesting here, which is the whole like, with instead on focusing on the technology of the day. Why do we keep making the same fundamental mistakes? We've been talking about input validation. We know that the air force wrote fantastic papers in the early 70's about operating system design. Why are we not learning from the mistakes of the past?
When I went through college at Georgia Tech, I actually would get a zero if my code didn't pass certain stylistic lint's. But if the TA typed it and forgot their, or put the wrong arguments like into RV and RC in accordance, no points off.
So it's like, you're yelling at me about making sure I have curly braces, but I have massive input validation and security flaws in my code and you're not even encouraging me to even think about these or address these. I think that's a big problem is how are we training these people who are going to build the next big thing? Are we teaching them about security? What advice are we giving them?
Alexander Sotirov: I'm not sure it's exactly a problem for us because it guarantees us job security for as long as we want. But it is a problem for the world at large.
Tom Ptacek: There's a guy in Chicago, he's a professor at the U.I.C., he's a math professor there [Cunningham Bernstein], wrote a couple of pieces of software. He's I think generally referred to be one of the most intelligent people working in software security. During an error where Send Mail was broken into and there was new vulnerabilities found in it once a week. It was the primary way people broke into systems with the mail server. You ordered a piece of software called Qmail which was as functional as send mail was that it had an almost perfect security track record.
And the key word there is almost, right. This is a person who's basically dedicated their career to secure software. This is like what this guy is famous for, right. He does not have a perfect track record, right. There were flaws found in that software at some other points, right. If somebody who's basically has that research focus and who basically has the best track record in all of software security can't avoid the problem entirely, then it kind of doesn't matter, right?
Alexander Sotirov: There's a difference between Dan hitting a few vulnerabilities in his code and us going backwards in regards with security. I do believe that the switch to Web-based systems is a step backwards for security. And I would expect that the next big switch, whatever it might be is going to be a step backwards as well. And I think that is a larger problem. We should be, each new technology should have less vulnerabilities then the previous one. But this is not what we're seeing. This is not what we're seeing.
Interviewer: Yeah, actually my question is what do you guys think will happen in the academic space as far as making a change on this? Having gone through a recent program, they just don't teach the security to the developers in school. Like Billy said it's more on stylistic things and things like that. What could be done to help change the basic academic land space?
Alexander Sotirov: Well, I think we're starting to see more and more interest in academia. And this is not exactly academia; this is more about teaching young students to write good software. I think we're starting to see some programs adopt a larger focus on security. And I think this is only going to increase. So I think it's already happening. But I'm pretty sure that it's not happening to the extent that it needs to be happening.
If you're a large company and you're hiring fresh out of school graduates, you pretty much have to run them through another training on security. Because they would have either had none or the training they would have had would be insufficient. So hopefully some universities might actually take this as an opportunity to help build better programs and give their graduates an advantage.
Dave Aitel: They're supposed to be learning how to learn, right? Like as long they know how to learn when they come out of there, that's good enough. They don't have to learn buffer or flaws. We could teach them that. We got papers.
Interviewer: Center round of applause for our researchers. Thanks very much guys. Appreciate it.