RE: Security training of developers and company liability

[Jeff Robertson <jeff.robertson () digitalinsight com>]

If possible, use their own previously-written code instead of WebGoat for
the total "scared straight" experience. ;-)

> -----Original Message-----
> From: James Strassburg [mailto:JStrassburg () directs com] 
> Sent: Wednesday, December 07, 2005 11:51
> To: webappsec () securityfocus com
> Subject: Security training of developers and company liability
>
> I am currently training all of my organization's software 
> developers on web application security.  I'm using WebScarab 
> and WebGoat as my primary teaching tools as I feel that 
> seeing how the problems are exploited is much more effective 
> than trying to cover every type of coding mistake that can 
> lead to the problems.  My question is about company liability.
> What if one of the developers used the information learned to 
> attack another site?  Is my company liable for their actions 
> as we taught them how to do it?  Should I have our legal 
> department create a disclaimer or waiver for them to sign?
>  
> I will be asking the same questions directly to our legal 
> department but thought a discussion here could provide some 
> more insight and be valuable for others.  thanks.
>  
>  
> James A. Strassburg Jr.       
> Software Security Architect   
> Direct Supply, Inc.