The New Information Agenda. Do You Have One? The lack of trusted information is a major concern for businesses worldwide. The information agenda is a comprehensive, enterprise-wide plan for creating, delivering, and exploiting trusted information. It allows CIOs to achieve short-term tactical and long-term strategic changes. »   The Outsourcing Decision for a Globally Integrated Enterprise: From Commodity Outsourcing to Value Creation The Outsourcing Decision for a Globally Integrated Enterprise Globalization and advances in technology have changed the way business gets done. Today, outsourcing helps make the globally integrated enterprise possible. And the decision-making process for outsourcing is changing — with CIOs playing a more strategic role. »   IBM CIO insights: Igniting Innovation By Fusing Business and IT The disconnect between business and IT leaders is nothing new. But in a highly competitive environment, where innovation is the key to success, this lack of integration can cause companies to stagnate, lose money, and miss valuable opportunities. CIOs need to take the lead in correcting this problem. This executive guide outlines the solutions and initiatives IT leaders need to implement to help bridge the gap. This executive guide offers the solutions and insights CIOs need to take the lead in building a more innovative, more successful company. »   How are Other CIOs Driving Growth? IBM interviewed over 175 CIOs to see how they're bringing together business and IT to drive growth and financial success. We found that organizations with high levels of integration have experienced a 9% return on investment, and a 6% return on assets. Want to learn what else they are doing? Read our Global CIO Leadership Survey. »

XML/RSS feeds EarthWeb IT Management news and headlines CIO Update headlines See more EarthWeb Network RSS feeds FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Related Articles • Being a Late Adapter in Security is Not An Option • The Perils and Possibilities of Patching • Doom For Anti-Spyware Software? • The Four Risk Factors of Data Center Consolidation

Special Reports • ITIL v3: Bridging the Gap Between IT and Business • Outsourcing’s Seven-Year Itch • The Productivity of Technology is in Jeopardy • Offshore Considerations for Infrastructure Management • Disaster Waiting to Happen • Friday’s Top 5 • Top 10 Money Savers for 2008 • Understanding the 10 Fundamentals of Any Business • 8 Great Training Tips from the Canadian Army • Enterprise Architecture and SOA: Two Tribes More Special Reports

IT Focus Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Today on EarthWebNews.com • Motorola Spins a Turnaround Plan • The Economy May be Rotten But Apple Isn't • Ubuntu's 'Hardy' Cozy With Windows • Ballmer Ready to Move on Yahoo? • Acer Strong in Q1 With Aggressive Growth More EarthWebNews.com

14-Day Qualys Trial: Find Out in Minutes if Your Network is Vulnerable! Scan for the latest vulnerabilities & receive a detailed risk assessment report. Sign up now.

The Importance of Security Training

By John Heimann

May 23, 2006: Security training is at the heart of writing good code, writes CIO Update guest columnist John Heimann of Oracle.

Everyone involved with software development, deployment, or procurement understands that security is important. As such, it is an area that CIOs consistently identify as a top priority for new IT investment.

Most IT executives now recognize that software security is not just about security features, but also depends on security assurance. System security can be improved through good security mechanisms, but can also be undermined through faulty design or implementation.

Security bugs that allow a malicious user to bypass system security mechanisms are at best a source of concern, and take time and effort to patch. At worst, they can make a software system as vulnerable to attackers as if security mechanisms were never implemented.

Security training for developers is important because most organizations write at least some of the software they use, or customize vendor-written software. Without security training, developers are less likely to produce secure code.

It’s an unfortunate fact that most developers are not required to learn secure coding practices in school. While computer science majors are introduced to design and coding techniques that improve software performance and scalability, relatively few are exposed to secure system design principles, or taught how to avoid common coding errors that result in security bugs.

For example, many programmers would consider an explicit check on the length of an input parameter to be unnecessary and wasteful of processor cycles until they are introduced to the concept of buffer overflow—a favorite means for sophisticated hackers to introduce malicious code into a system.

Unlike developers, hackers are well aware of common design and coding errors, and are adept at finding them in other peoples’ systems. The fact that most organizations make at least some part of their operations or IT systems web-accessible makes a hacker’s job easier and safer (for the hacker).

To keep ahead of hackers, companies must make sure that their development personnel know at least a little of what hackers know, so they can avoid the types of problems hackers exploit. Formal developer training programs are an effective way to do this.

Have Standards and Teach Them

How can a company implement a security training program? Although it sounds obvious, the first requirement for effective developer security training is that a company defines what their developers need to know.

Appropriate goals for a security training program are to ensure developers understand the security standards, practices, and guidelines the company uses when developing and deploying systems—assuming such standards, practices, and guidelines exist.

It’s essential that IT organizations have standards and policies for secure software development and deployment in the first place, and security training is based on and refers to these standards.

Companies that develop software, or run their operations on internally developed software, often write detailed security guidelines specifically for that software (e.g., Oracle has written internal secure coding standards for its developers, and published security best practices deployment guidelines for internal and external customers.)

Companies that are less development-focused may choose to use security standards established by third parties. These may include government organizations such as the National Institute of Standards and Technology (NIST), private organizations such as the Center for Internet Security (CIS), the SANS Institute, and consulting firms (or practices within firms) that specialize in security.

Given Oracle’s global development organization, we instituted a self-paced, Web-based security training class for internal use. The class introduces developers to Oracle’s secure coding standards, and provides examples of coding errors gleaned from real life code examples.

Developers are required to take a knowledge test at the end of the program, and must answer a series of questions correctly in order to pass. We track the security training completion status of each developer and provide regular reports on training compliance to development management and to senior corporate management to ensure a level of security training is maintained in each organization.

Companies with smaller development organizations may consider using instructor-led training, either live or on the Web, to avoid the up front cost of a custom training application.

Some of the organizations (e.g., SANS) that create security guidelines for other companies also offer training programs that are based on, and refer to, the security guidelines they create. If a company chooses to use standards or developer training programs provided by a third party, they need to ensure that the standards and training are appropriate for their own technology and business environment.

Making it a Priority

Software development is skilled, creative work, and is inherently an expensive process. When internal project deadlines, or external product release dates grow near, software managers may be reluctant to make time for activities, like security training, which will take developers away from immediate project deliverables.

Organizations should address this problem from the top down and bottom up. For example, product executives at Oracle are briefed on the cost of security bugs in software products, which may exceed $1 million per bug just for patch development, and on the potential impact of bugs to product sales and corporate reputation.

Since every security bug avoided through improved developer knowledge pays for training several thousand developers, implementing a developer training program is a simple business decision. These classes generate results: There are many examples of developers who identified and fixed security bugs in their own code after taking the security training class.

Organizations that don’t develop software products should consider the potential costs resulting from security bugs in internally developed operations or IT software when considering security training.

Among the potential consequences of security bugs are interruption of critical business operations, corruption of critical data, theft of vital intellectual property, disclosure of sensitive customer or employee information, and failure to comply with government regulations (some of which, such as Sarbanes Oxley, make corporate executives personally liable for lack of compliance).

When compared to these costs, training costs are generally minor.

John Heimann manages Oracle's Security Program Management team. His team participates in security initiatives across Oracle, helping to enforce security policies as well as looking for opportunities to improve Oracle's software security assurance processes.

Tools:

Add www.cioupddate.com to your favorites Add www.cioupddate.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

• Return to CIO Update Index
• Return to www.cioupdate.com Homepage