WebApp Sec mailing list archives
Re: Security training of developers and company liability
From: Daniel <deeper () gmail com>
Date: Fri, 9 Dec 2005 14:34:50 +0000
i wouldnt get caught up with the CMA, its a pretty useless law when it comes to todays Internet 1.-(1) A person is guilty of an offence if- (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; So whats a function? is making the web server serve a html file a function? "intent to secure access", well thats the whole point of the Internet isnt it, securing access to data and web applications? On 12/8/05, Jeff Robertson <jeff.robertson () digitalinsight com> wrote:
If possible, use their own previously-written code instead of WebGoat for the total "scared straight" experience. ;-)-----Original Message----- From: James Strassburg [mailto:JStrassburg () directs com] Sent: Wednesday, December 07, 2005 11:51 To: webappsec () securityfocus com Subject: Security training of developers and company liability I am currently training all of my organization's software developers on web application security. I'm using WebScarab and WebGoat as my primary teaching tools as I feel that seeing how the problems are exploited is much more effective than trying to cover every type of coding mistake that can lead to the problems. My question is about company liability. What if one of the developers used the information learned to attack another site? Is my company liable for their actions as we taught them how to do it? Should I have our legal department create a disclaimer or waiver for them to sign? I will be asking the same questions directly to our legal department but thought a discussion here could provide some more insight and be valuable for others. thanks. James A. Strassburg Jr. Software Security Architect Direct Supply, Inc.
Current thread:
- Re: Security training of developers and company liability, (continued)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- RE: Security training of developers and company liability Lyal Collins (Dec 08)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 08)
- RE: Security training of developers and company liability Griffiths, Ian (Dec 08)
- RE: Security training of developers and company liability Brokken, Allen P. (Dec 08)
- RE: Security training of developers and company liability Jason Gregson (Dec 08)
- RE: Security training of developers and company liability James Strassburg (Dec 08)
- RE: Security training of developers and company liability Jeff Robertson (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 09)
- RE: Security training of developers and company liability Harley David (Dec 12)
- RE: Security training of developers and company liability James Strassburg (Dec 12)
- RE: Security training of developers and company liability Wall, Kevin (Dec 13)
- Re: Security training of developers and company liability Stephen de Vries (Dec 08)