Re: Security training of developers and company liability

[Daniel <deeper () gmail com>]

i wouldnt get caught up with the CMA, its a pretty useless law when it
comes to todays Internet

1.-(1) A person is guilty of an offence if-
 (a) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;

So whats a function? is making the web server serve a html file a function?
"intent to secure access", well thats the whole point of the Internet
isnt it, securing access to data and web applications?



On 12/8/05, Jeff Robertson <jeff.robertson () digitalinsight com> wrote:
> If possible, use their own previously-written code instead of WebGoat for
> the total "scared straight" experience. ;-)
>
> > -----Original Message-----
> > From: James Strassburg [mailto:JStrassburg () directs com]
> > Sent: Wednesday, December 07, 2005 11:51
> > To: webappsec () securityfocus com
> > Subject: Security training of developers and company liability
> >
> > I am currently training all of my organization's software
> > developers on web application security.  I'm using WebScarab
> > and WebGoat as my primary teaching tools as I feel that
> > seeing how the problems are exploited is much more effective
> > than trying to cover every type of coding mistake that can
> > lead to the problems.  My question is about company liability.
> > What if one of the developers used the information learned to
> > attack another site?  Is my company liable for their actions
> > as we taught them how to do it?  Should I have our legal
> > department create a disclaimer or waiver for them to sign?
> >
> > I will be asking the same questions directly to our legal
> > department but thought a discussion here could provide some
> > more insight and be valuable for others.  thanks.
> >
> >
> > James A. Strassburg Jr.
> > Software Security Architect
> > Direct Supply, Inc.