Re: Security training of developers and company liability

[Stephen de Vries <stephen () corsaire com>]

I used to be a trainer on the ISS Ethical Hacking course in the UK  
and it was standard practice to have the delegates sign a waiver that  
they would only use their new powers in defense of the empire.

Not sure whether this was strictly necessary in the UK, it could have  
been a knee jerk reaction from the US legal department.
It rarely hurts to play it safe.

cheers,
Stephen

On 7 Dec 2005, at 23:51, James Strassburg wrote:

> I am currently training all of my organization's software  
> developers on
> web application security.  I'm using WebScarab and WebGoat as my  
> primary
> teaching tools as I feel that seeing how the problems are exploited is
> much more effective than trying to cover every type of coding mistake
> that can lead to the problems.  My question is about company  
> liability.
> What if one of the developers used the information learned to attack
> another site?  Is my company liable for their actions as we taught  
> them
> how to do it?  Should I have our legal department create a  
> disclaimer or
> waiver for them to sign?
>
> I will be asking the same questions directly to our legal  
> department but
> thought a discussion here could provide some more insight and be
> valuable for others.  thanks.
>
>
> James A. Strassburg Jr. 
> Software Security Architect     
> Direct Supply, Inc.