RE: Training for web developers?

["Arian J. Evans" <arian () anachronic com>]

Mark,

> We run a half-day Secure Web Programming course in New Zealand for our
> clients.  The aim is to try and get developers to think a bit 
> more like a hacker and look for security holes.

We do about the same thing as Nicholas described, other than it's a full day.
The first half of the day is OSI, architecture, the evolution of web vulns and
examples of what the threat and vuln landscape for applications really is (e.g.-
who has been hacked and how).

The second half of the day is hacking, covering the OWASP spectrum. We
focus really hard on the fact that this is nothing new. It's new some new
mystical security land. It's about strongly typing data, and validating input
for both type and integrity (if handed off to the client). It's about good QA.

In other words, it is a difference of /degree/, not of /kind/, compared to any
other input *bug*. Hey, Rob's report doesn't run right. Injecting SQL into the
report query is potentially a much bigger issue than just failing to return the
proper data due to a *normal* bug, but it's the same thing.

We focus on predictable and dependable behavior (not "Security(tm)"), and
good unit testing aka agile/extreme programming approach to unit testing.
This approach seems to work; not sure what part of the world you are in
but I suspect there's a number of us out there offering these type of services,
probably some in your area.

Cheers,

Arian J. Evans
(http://www.fishnetsecurity.com)
(arian.evans () fishnetsecurity com)