DL
Uploaded bydrewz lin
PPT, PDF675 views

Appsec2013 presentation-dickson final-with_all_final_edits

(1) A study surveyed 600 software developers and found that most did not have a basic understanding of software security concepts, with 73% failing an initial survey and the average score being 59% before training. (2) However, after training, developers' understanding of key concepts increased, with some areas like cross-site scripting seeing a 20 percentage point gain. (3) The study concluded that targeted security training can improve developers' knowledge in the short-term, though retention of this knowledge may require refresher training over time.

Embed presentation

Download to read offline
Can AppSec Training Really Make a Smart Developer? Research From Denim Group John B. Dickson, CISSP @johnbdickson November 20, 2013
About Me • Application Security Enthusiast • Security Professional • ISSA Distinguished Fellow • MBA-type and Serial Entrepreneur • Dad Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
About Denim Group Denim Group Overview •Professional services firm that builds & secures enterprise applications  External application assessments  Web, mobile, and cloud  Software development lifecycle development (SDLC) consulting •Secure development services:  Secure .NET and Java application development  Post-assessment remediation •Classroom and e-Learning for PCI compliance Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
“I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere.” Bruce Schneier Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
How Developer Training is Different •Both trying to change behaviors – Target audience has more power to say “no” – Deadlines and releases drive training •For developer, infrequent, but more disruptive • 15-45 minutes vs. 2-day class Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Yet Training is Mandated •PCI DSS 3.0  Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.  Testing Procedures: 6.5.a: Examine software development policies and procedures to verify that secure coding technique training is required for developers, based on best practices and guidance.  Testing Procedures: 6.5.b: Interview a sample of developers to verify that they are knowledgeable in secure coding techniques  Testing Procedures: 6.5.c : Examine training records to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
But Results Are Not Measured •Harvard Business Review – Large-scale organization development is rare – Measurement of results is even rarer •Workforce analytics rare – More than 25% of survey respondents use little or no workforce analytics – The vast majority (>61%) report their use as tactical, ad hoc, and disconnected from other key systems and processes Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Growth & Turnover Spur Sense of Urgency – Software development field growing 30% – Turnover • Industry – 14-15% • General IT – ~20% • Software Development – ~20 – 30% Sources: Bureau for Labor Statistics and Society of Human Resources Management Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Research Overview •Focus: Assess the software developers depth of software security knowledge •Purpose: To measure the impact of software security training on that level of understanding •Survey size: 600 software developers surveyed in North America (US and Canada) •Vertical markets represented: financial, government, retail, educational, technology, energy and healthcare segments. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Respondent Demographics Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Respondent Demographics Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Respondent Demographics Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Methodology  15 Multiple Choice Quiz-Style Questions  Targeted at Software Developers  Varied by years of experience, amounts of previous training, primary job function, company industry and company size  Distribution:  Online and hard-copy questionnaires given to instructor-led class trainees (before and after)  Social media networks (sharing and some paid promotion with incentives) Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Hypotheses 1. Most software developers do not have a basic understanding of software security concepts. 2. Software security training can improve a developer’s knowledge of security concepts in the short-term. 3. Certain industries, such as financial services, are more likely to have software developers that are already exposed to key software security concepts. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Sample Questions 4. If an attacker were able to view sensitive customer records they should not have had access to, this would be a(n)_______breach. ___ Confidentiality ___ Integrity ___ Availability 7. Authentication is... ___ Proving to an application that the user is who they claim to be ___ Confirming that the user is allowed to access a certain page or function ___Verifying that the data displayed on a given page is authentic ___ Thoroughly logging all of a user's important activity Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results • Enterprises of more than 10,000 personnel had the lowest secure coding knowledge Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results • Architects and software developers had a much higher level of knowledge than QA, yet in many organizations QA has a material role in application security Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results •Slightly more than half of the respondents correctly answered basic awareness questions on application but struggled with ways to operationalize appsec concepts Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results •Almost 100 percent could define input validation, demonstrating a choppy understanding of advanced secure coding knowledge. •On the other hand, almost 90 percent correctly identified proper session IDs which is reassuring. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results •The majority of the respondents had no prior secure coding training, which might be surprising Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results • There was no correlation between years of experience and knowledge of secure coding highlighting the continued need for effective security training Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results •The respondents that had had more than 3 days of app sec training in the past were able to answer more than half of the questions correctly. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results •100% correctly identified where cross site scripting executes after completing training, an increase of almost 20 percentage points. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Key Survey Results •The number of respondents able to correctly identify what is application security more than doubled after training was complete. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
CONCLUSION • Retention rose by more than 25 percent after completing secure coding training. • Other statistics also reported that application vulnerabilities reduced by over 70 percent after training Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Software Developers Learn Differently than Companies “Teach” • Teaching methods are formalized and structured in order to be repeatable • Type of structures consist of: – On-site & off-site classroom training – E-learning for compliance – Videos, webinars, etc. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
So How Do Developers Learn? •Informally and and in an unstructured way via: • • • • • Blogs & RSS feeds Social media with emphasis Developer websites Influential e-mail lists Safarionline Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Don’t Ignore Basics of Training •Refresher training is still needed •Training must be included in performance plans •Managers increasingly want an ROI Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Incentives Matter! Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
CONCLUSION • Software developers largely do not understand key software security concepts  73% of respondents “failed” the initial survey  Average score of 59% before training • However, software developers’ understanding of key software security concepts did increase after training Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Where do we Go from Here? Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
Questions and Answers? John B. Dickson @johnbdickson john@denimgroup.com Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter

More Related Content

PPTX
Gsm architecture, gsm network identities, network cases, cell planning, and c...
byZorays Solar Pakistan
 
DOC
Nripendra
byNripendra Goswami
 
PDF
How to Become a Cyber Security Analyst in 2021..
bySprintzeal
 
PDF
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
bySprintzeal
 
PDF
Web Application Remediation - OWASP San Antonio March 2007
byDenim Group
 
PPTX
SolarWinds Application Performance End User Survey (Singapore)
bySolarWinds
 
PPTX
SolarWinds Application Performance End User Survey (UK)
bySolarWinds
 
PDF
Adapting Test Teams to Organizational Power Structures
byTechWell
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
byZorays Solar Pakistan
 
Nripendra
byNripendra Goswami
 
How to Become a Cyber Security Analyst in 2021..
bySprintzeal
 
CYBER SECURITY ANALYST - HOW TO BECOME, JOB DEMAND AND TOP CERTIFICATIONS
bySprintzeal
 
Web Application Remediation - OWASP San Antonio March 2007
byDenim Group
 
SolarWinds Application Performance End User Survey (Singapore)
bySolarWinds
 
SolarWinds Application Performance End User Survey (UK)
bySolarWinds
 
Adapting Test Teams to Organizational Power Structures
byTechWell
 

Similar to Appsec2013 presentation-dickson final-with_all_final_edits

PDF
Security Training: Necessary Evil, Waste of Time, or Genius Move?
byDenim Group
 
PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Building an AppSec Culture
byNirosh Jayaratnam
 
PDF
Vulnerability Management In An Application Security World: AppSecDC
byDenim Group
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
PPT
Integration into the Secure SDLC Process.ppt
byImam Halim Mursyidin
 
PDF
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
byQA or the Highway
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
byVandana Verma
 
PPT
The Principles of Secure Development - David Rook
bySecurity B-Sides
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PPTX
How to produce more secure web apps
byDamilola Longe, CISSP, CCSP, MSc
 
PDF
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
KEY
Application Security Done Right
bypvanwoud
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
PDF
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
PDF
Matteo meucci Software Security - Napoli 10112016
byMinded Security
 
PDF
Owasp top 10
byPensamiento Libre
 
PDF
The Principles of Secure Development - BSides Las Vegas 2009
bySecurity Ninja
 
PDF
Software Security Initiative And Capability Maturity Models
byMarco Morana
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
byDenim Group
 
How to develop an AppSec culture in your project
by99X Technology
 
Building an AppSec Culture
byNirosh Jayaratnam
 
Vulnerability Management In An Application Security World: AppSecDC
byDenim Group
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
Integration into the Secure SDLC Process.ppt
byImam Halim Mursyidin
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
byQA or the Highway
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
byVandana Verma
 
The Principles of Secure Development - David Rook
bySecurity B-Sides
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
How to produce more secure web apps
byDamilola Longe, CISSP, CCSP, MSc
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
Application Security Done Right
bypvanwoud
 
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
Matteo meucci Software Security - Napoli 10112016
byMinded Security
 
Owasp top 10
byPensamiento Libre
 
The Principles of Secure Development - BSides Las Vegas 2009
bySecurity Ninja
 
Software Security Initiative And Capability Maturity Models
byMarco Morana
 

More from drewz lin

PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
PPTX
Vulnex app secusa2013
bydrewz lin
 
PPTX
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
bydrewz lin
 
PPTX
Appsec usa roberthansen
bydrewz lin
 
PDF
基于虚拟化技术的分布式软件测试框架
bydrewz lin
 
PDF
Via forensics appsecusa-nov-2013
bydrewz lin
 
PPTX
I mas appsecusa-nov13-v2
bydrewz lin
 
PPTX
Appsec2013 assurance tagging-robert martin
bydrewz lin
 
PPTX
Owasp2013 johannesullrich
bydrewz lin
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PPTX
Amol scadaowasp
bydrewz lin
 
PPTX
无线App的性能分析和监控实践 rickyqiu
bydrewz lin
 
PPTX
Appsec2013 presentation
bydrewz lin
 
PPTX
新浪微博稳定性经验谈
bydrewz lin
 
PPTX
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
bydrewz lin
 
ODP
Csrf not-all-defenses-are-created-equal
bydrewz lin
 
PDF
Appsec usa2013 js_libinsecurity_stefanodipaola
bydrewz lin
 
PPTX
Phu appsec13
bydrewz lin
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
PPTX
Agile sdlc-v1.1-owasp-app sec-usa
bydrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
Vulnex app secusa2013
bydrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
bydrewz lin
 
Appsec usa roberthansen
bydrewz lin
 
基于虚拟化技术的分布式软件测试框架
bydrewz lin
 
Via forensics appsecusa-nov-2013
bydrewz lin
 
I mas appsecusa-nov13-v2
bydrewz lin
 
Appsec2013 assurance tagging-robert martin
bydrewz lin
 
Owasp2013 johannesullrich
bydrewz lin
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
Amol scadaowasp
bydrewz lin
 
无线App的性能分析和监控实践 rickyqiu
bydrewz lin
 
Appsec2013 presentation
bydrewz lin
 
新浪微博稳定性经验谈
bydrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
bydrewz lin
 
Csrf not-all-defenses-are-created-equal
bydrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
bydrewz lin
 
Phu appsec13
bydrewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
bydrewz lin
 

Recently uploaded

PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PPTX
WIFI Enabled 8 by 32 Matrix.pptx for final year project
bymdsabbirhossain524856
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
WIFI Enabled 8 by 32 Matrix.pptx for final year project
bymdsabbirhossain524856
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 

Appsec2013 presentation-dickson final-with_all_final_edits

  • 1.
    Can AppSec TrainingReally Make a Smart Developer? Research From Denim Group John B. Dickson, CISSP @johnbdickson November 20, 2013
  • 2.
    About Me • ApplicationSecurity Enthusiast • Security Professional • ISSA Distinguished Fellow • MBA-type and Serial Entrepreneur • Dad Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 3.
    About Denim Group DenimGroup Overview •Professional services firm that builds & secures enterprise applications  External application assessments  Web, mobile, and cloud  Software development lifecycle development (SDLC) consulting •Secure development services:  Secure .NET and Java application development  Post-assessment remediation •Classroom and e-Learning for PCI compliance Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 4.
    “I personally believethat training users in security is generally a waste of time, and that the money can be spent better elsewhere.” Bruce Schneier Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 5.
    How Developer Trainingis Different •Both trying to change behaviors – Target audience has more power to say “no” – Deadlines and releases drive training •For developer, infrequent, but more disruptive • 15-45 minutes vs. 2-day class Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 6.
    Yet Training isMandated •PCI DSS 3.0  Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.  Testing Procedures: 6.5.a: Examine software development policies and procedures to verify that secure coding technique training is required for developers, based on best practices and guidance.  Testing Procedures: 6.5.b: Interview a sample of developers to verify that they are knowledgeable in secure coding techniques  Testing Procedures: 6.5.c : Examine training records to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 7.
    But Results AreNot Measured •Harvard Business Review – Large-scale organization development is rare – Measurement of results is even rarer •Workforce analytics rare – More than 25% of survey respondents use little or no workforce analytics – The vast majority (>61%) report their use as tactical, ad hoc, and disconnected from other key systems and processes Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 8.
    Growth & TurnoverSpur Sense of Urgency – Software development field growing 30% – Turnover • Industry – 14-15% • General IT – ~20% • Software Development – ~20 – 30% Sources: Bureau for Labor Statistics and Society of Human Resources Management Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 9.
    Research Overview •Focus: Assessthe software developers depth of software security knowledge •Purpose: To measure the impact of software security training on that level of understanding •Survey size: 600 software developers surveyed in North America (US and Canada) •Vertical markets represented: financial, government, retail, educational, technology, energy and healthcare segments. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 10.
    Respondent Demographics Hosted byOWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 11.
    Respondent Demographics Hosted byOWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 12.
    Respondent Demographics Hosted byOWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 13.
    Methodology  15 MultipleChoice Quiz-Style Questions  Targeted at Software Developers  Varied by years of experience, amounts of previous training, primary job function, company industry and company size  Distribution:  Online and hard-copy questionnaires given to instructor-led class trainees (before and after)  Social media networks (sharing and some paid promotion with incentives) Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 14.
    Hypotheses 1. Most softwaredevelopers do not have a basic understanding of software security concepts. 2. Software security training can improve a developer’s knowledge of security concepts in the short-term. 3. Certain industries, such as financial services, are more likely to have software developers that are already exposed to key software security concepts. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 15.
    Sample Questions 4. Ifan attacker were able to view sensitive customer records they should not have had access to, this would be a(n)_______breach. ___ Confidentiality ___ Integrity ___ Availability 7. Authentication is... ___ Proving to an application that the user is who they claim to be ___ Confirming that the user is allowed to access a certain page or function ___Verifying that the data displayed on a given page is authentic ___ Thoroughly logging all of a user's important activity Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 16.
    Key Survey Results •Enterprises of more than 10,000 personnel had the lowest secure coding knowledge Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 17.
    Key Survey Results •Architects and software developers had a much higher level of knowledge than QA, yet in many organizations QA has a material role in application security Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 18.
    Key Survey Results •Slightlymore than half of the respondents correctly answered basic awareness questions on application but struggled with ways to operationalize appsec concepts Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 19.
    Key Survey Results •Almost100 percent could define input validation, demonstrating a choppy understanding of advanced secure coding knowledge. •On the other hand, almost 90 percent correctly identified proper session IDs which is reassuring. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 20.
    Key Survey Results •Themajority of the respondents had no prior secure coding training, which might be surprising Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 21.
    Key Survey Results •There was no correlation between years of experience and knowledge of secure coding highlighting the continued need for effective security training Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 22.
    Key Survey Results •Therespondents that had had more than 3 days of app sec training in the past were able to answer more than half of the questions correctly. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 23.
    Key Survey Results •100%correctly identified where cross site scripting executes after completing training, an increase of almost 20 percentage points. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 24.
    Key Survey Results •Thenumber of respondents able to correctly identify what is application security more than doubled after training was complete. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 25.
    CONCLUSION • Retention roseby more than 25 percent after completing secure coding training. • Other statistics also reported that application vulnerabilities reduced by over 70 percent after training Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 26.
    Software Developers LearnDifferently than Companies “Teach” • Teaching methods are formalized and structured in order to be repeatable • Type of structures consist of: – On-site & off-site classroom training – E-learning for compliance – Videos, webinars, etc. Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 27.
    So How DoDevelopers Learn? •Informally and and in an unstructured way via: • • • • • Blogs & RSS feeds Social media with emphasis Developer websites Influential e-mail lists Safarionline Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 28.
    Don’t Ignore Basicsof Training •Refresher training is still needed •Training must be included in performance plans •Managers increasingly want an ROI Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 29.
    Incentives Matter! Hosted byOWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 30.
    CONCLUSION • Software developerslargely do not understand key software security concepts  73% of respondents “failed” the initial survey  Average score of 59% before training • However, software developers’ understanding of key software security concepts did increase after training Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 31.
    Where do weGo from Here? Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter
  • 32.
    Questions and Answers? JohnB. Dickson @johnbdickson john@denimgroup.com Hosted by OWASP && the NYC Chapter Hosted by OWASP the NYC Chapter

Editor's Notes

  • #8 http://gridinternational.com/fm_files/HBR_Articles/HBR_Breakthrough_in_Organization_Development_-_Harvard_Business_Review1.pdf Strangely enough, large-scale organization development is rare, and the measurement of results is even rarer. Even though management has sought for years to grasp and implement the important findings of behavioral science research, the task has proved more difficult than it first seemed. Many findings are subtle and complex. Other findings relate to individual insights or knowledge which is hard to build into the organization’s life stream. Connecting Workforce Analytics to Better Business Results http://talent.sumtotalsystems.com/rs/sumtotalsystems/images/HBR_SumTotal_Report_Aug2013_rev1.pdf
  • #9 Growth & Turnover Employment of software developers is projected to grow 30 percent from 2010 to 2020, The main reason for the rapid growth is: a large increase in the demand for computer software Mobile technology requires new applications the healthcare industry is greatly increasing its use of computer systems and applications Source: http://www.bls.gov/ooh/Computer-and-Information-Technology/Software-developers.htm#tab-6 http://compforce.typepad.com/compensation_force/2009/03/2008-turnover-rates-by-industry.html 14-15% Source: http://www.shrm.org/research/benchmarks/documents/trends%20in%20turnover_final.pdf
  • #17 19% passing rate among companies with over 10,000 employees Observation/Note: Training tactics and frequency in larger organizations?
  • #19 Yet, only about 20 percent could define the terms application security or threat modeling, the most basic of security skills
  • #20 19% passing rate among companies with over 10,000 employees Observation/Note: Training tactics and frequency in larger organizations?
  • #21 19% passing rate among companies with over 10,000 employees Observation/Note: Training tactics and frequency in larger organizations?
  • #22 19% passing rate among companies with over 10,000 employees Observation/Note: Training tactics and frequency in larger organizations?
  • #24 19% passing rate among companies with over 10,000 employees Observation/Note: Training tactics and frequency in larger organizations?
  • #25 19% passing rate among companies with over 10,000 employees Observation/Note: Training tactics and frequency in larger organizations?
  • #26 Average score increased from 59% to 74% “Pass” rate increased from 27% to 67% Observation – 33% of respondents still failed after training
  • #28 Bryan Beveryly I follow a series of RSS feeds that I keep pretty regularly pruned. I focus on feeds that cover applied technology and development practices over theory. The .NET teams have some okay feeds, but Scott Hu is a real no-shit .NET developer and he has a much better set of content. Usually the good ones lead me to other good ones. The lousy ones or ones with stale content get pruned.  I have moved all of my framework feeds to just following them on Twitter because it's generally less noise. That's how I find out about updates to Grails/Groovy, Spring libraries, .NET MVC, Java, etc.
  • #29 Bryan Beveryly I follow a series of RSS feeds that I keep pretty regularly pruned. I focus on feeds that cover applied technology and development practices over theory. The .NET teams have some okay feeds, but Scott Hu is a real no-shit .NET developer and he has a much better set of content. Usually the good ones lead me to other good ones. The lousy ones or ones with stale content get pruned.  I have moved all of my framework feeds to just following them on Twitter because it's generally less noise. That's how I find out about updates to Grails/Groovy, Spring libraries, .NET MVC, Java, etc.
  • #30 Bryan Beveryly I follow a series of RSS feeds that I keep pretty regularly pruned. I focus on feeds that cover applied technology and development practices over theory. The .NET teams have some okay feeds, but Scott Hu is a real no-shit .NET developer and he has a much better set of content. Usually the good ones lead me to other good ones. The lousy ones or ones with stale content get pruned.  I have moved all of my framework feeds to just following them on Twitter because it's generally less noise. That's how I find out about updates to Grails/Groovy, Spring libraries, .NET MVC, Java, etc.
  • #33 http://www.entrepreneur.com/article/220569 http://blogs.hbr.org/2010/06/how-to-translate-training-into/ Luckily the “fix” for these kinds of programs is really quite simple: Require that participants come to the program with a specific business challenge (either individually or as a team); build time into the program to create a plan for addressing that challenge based on the content that is presented; and then insist that managers execute against these plans after the program http://gridinternational.com/fm_files/HBR_Articles/HBR_Breakthrough_in_Organization_Development_-_Harvard_Business_Review1.pdf