Skip to content ↓ | Skip to navigation ↓

Security BSides San Francisco will take place this coming Sunday and Monday, and we have highlighted a few of the premier sessions that will occur, with the first two articles looking at Craig Young’s A Day in the Life of a Security Researcher, Ken Westin’s Telmex Email Security Hole – My Email was Indexed by Google

picWe also took alook at Lance Cottrell’s Using System Fingerprints to Track Attackers and a session by Billy Rios (@XSSniper) titled ICS and Embedded Security Research – A Primer.

Our final BSidesSF preview looks at a session titled Security Training: Necessary Evil, Waste of Time or a Genius Move? being presented by John Dickson (@johnbdickson).

Dickson is a security professional, entrepreneur and Principal at Denim Group, Ltd, a leading secure software development firm.

He has nearly 20 years in the information security field including hands-on experience with intrusion detection systems, network security and software security in the commercial and government sectors.

In his current position at Denim Group, Dickson advises business leaders and chief security officers of Fortune 500 companies and federal organizations who seek to launch and expand software security initiatives, ad is a sought after speaker on security topics at industry venues such as the RSA Conference, the SANS Institute, OWASP ebents, and other international security conferences.

Dickinson is a former United States Air Force officer who served in the Air Force Information Warfare Center (AFIWC) and was a member of the Air Force Computer Emergency Response Team (AFCERT).

Since his transition to the commercial arena, he has played significant client facing roles at Trident Data Systems, KPMG and SecureLogix Corporation, and is an Honorary Commander for the 67th Cyberspace Wing which organizes, trains, and equips United States Air Force units to conduct network defense, attack, and exploitation.

Dickson says there is virtually no quantitative data out there that draws a line between secure development training and the impact on the security of source code itself, and says his presentation and a corresponding survey provides the first stab at trying to quantify two important things.

“First, it tries to quantify how much software developers know about application security concepts after ten plus years of application-level vulnerabilities grabbing the headlines,” Dickson said. “Second, it tries to measure a ‘before and after’ on appsec training to find out whether or not it increased developers’ knowledge of defensive coding concepts.”

There’s a conventional wisdom in the corporate world that training a software developer on application security concepts and defensive coding strategies will produce a smarter developer and ultimately more secure code, but the impact of this training has never been actually quantified, hence the need for deeper analysis.

“Most in the field rely purely on anecdote or war stories to address the topic,” Dickson said. “I feel I’ve opened up a bit of a can of worms by questioning the training orthodoxy, but the project has been a fun one.  ou should care if you are working with developers or are asked by upper management about numbers to back up training efforts.”

Dickson says his target audience are application security managers specially, but in a general sense all security managers and software team managers will benefit from the session, and that anyone who attempts to change developer behavior via training efforts will be deeply interested in the numbers.

“I am hoping the audience will come away with a sense of how hard a problem quantifying impact is, and that having zero numbers to go on is not an acceptable approach,” Dickinson said.

“Developer training has always had a ‘feel good’ aspect, which contributes to the conventional wisdom that training is good. What I hope they learn is that just dumping security training on software developers will no longer be effective.”

Dickson said his survey methodology had several limitations that he will address during the talk, such as sample bias, which made the research all that more difficult to conduct effectively.

“I actually had three Political Science professors review the survey methodology and had a full-time graduate student working with me throughout the project,” Dickson said. “I had her stomp through the survey mine field to find as many land mines as she possibly could.”

One of the more surprising things Dickson said he discovered in the course of this survey was that most software developers learn informally – via Twitter, RSS feeds, etc., yet companies provide training in very formalized ways, like highly structured e-Learning or classroom offerings, which makes them less effective.

“I think training in the future on secure development will be delivered in smaller chunks, which will be more interactive and include aspects of gameificaiton,” Dickson predicted.

“It’s surprising that there is really very little data out there on this topic, and I am hoping that this research gets others thinking and questioning training orthodoxies, and that they demand more data from vendors.”


Related Articles:


picAnd be sure to join us at Tripwire’s RSAC Booth (3501) to get your free customized t-shirt printed on the spot, and listen to an array of in-booth guest speakers we have lined up. For the speaking schedule and information on how to obtain a free RSA Expo pass, see more details here.



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock