WebApp Sec mailing list archives

RE: Security training of developers and company liability

From: "James Strassburg" <JStrassburg () directs com>
Date: Thu, 8 Dec 2005 10:10:05 -0600

I am cross-referencing our code where I can to either provide a
contextual example or show other ways the vulnerabilities arise.  In the
class so far there have been a lot of a-ha's and "people do that?"'s.
In response to the people do that question I was actually able to
respond: We'll, you have done that.  To one fellow.  I agree that seeing
their own code drives the points home but WebGoat is a much better
framework for learning how the attacks are preformed.

James Strassburg

-----Original Message-----
From: Jeff Robertson [mailto:jeff.robertson () digitalinsight com] 
Sent: Thursday, December 08, 2005 6:58 AM
To: James Strassburg; webappsec () securityfocus com
Subject: RE: Security training of developers and company liability

If possible, use their own previously-written code instead of WebGoat
for
the total "scared straight" experience. ;-)

-----Original Message-----
From: James Strassburg [mailto:JStrassburg () directs com] 
Sent: Wednesday, December 07, 2005 11:51
To: webappsec () securityfocus com
Subject: Security training of developers and company liability

I am currently training all of my organization's software 
developers on web application security.  I'm using WebScarab 
and WebGoat as my primary teaching tools as I feel that 
seeing how the problems are exploited is much more effective 
than trying to cover every type of coding mistake that can 
lead to the problems.  My question is about company liability.
What if one of the developers used the information learned to 
attack another site?  Is my company liable for their actions 
as we taught them how to do it?  Should I have our legal 
department create a disclaimer or waiver for them to sign?

I will be asking the same questions directly to our legal 
department but thought a discussion here could provide some 
more insight and be valuable for others.  thanks.

James A. Strassburg Jr.       
Software Security Architect   
Direct Supply, Inc.

Current thread:

Security training of developers and company liability James Strassburg (Dec 07)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)
  - RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- RE: Security training of developers and company liability Lyal Collins (Dec 08)
  - RE: Security training of developers and company liability Clement Dupuis (Dec 08)
  - Re: Security training of developers and company liability Daniel (Dec 08)
- <Possible follow-ups>
- RE: Security training of developers and company liability Griffiths, Ian (Dec 08)
- RE: Security training of developers and company liability Brokken, Allen P. (Dec 08)
- RE: Security training of developers and company liability Jason Gregson (Dec 08)
- RE: Security training of developers and company liability James Strassburg (Dec 08)
- RE: Security training of developers and company liability Jeff Robertson (Dec 08)
  - Re: Security training of developers and company liability Daniel (Dec 09)
- RE: Security training of developers and company liability Harley David (Dec 12)
- RE: Security training of developers and company liability James Strassburg (Dec 12)
- RE: Security training of developers and company liability Wall, Kevin (Dec 13)