Great post at the Security Retentive blog about training developers on the basics of security. This quote kills me:
I can’t even begin to count the number of discussions I’ve had with web developers who don’t understand HTTP basics, what the protocol actually looks like, what cookies really are, how browsers handle them, etc. They don’t understand TCP/IP, DNS, ethernet, etc.
I have never been and never will be a developer, so I don’t understand their world. But it just seems so foreign to me that someone does not know the basics of IP and HTTP when they are developing products to ride on those very protocols. Of course, security was not a factor for so long in development, so it is knowledge that needs to be developed (no pun intended), just like this post is pointing out. Hopefully it is just a matter of willingness of developers, diligence by security professionals, and time for secure coding to become a habit.
Shameless employer plug: Accuvant’s Security Assessment group does application security assessments and also has courses on secure coding techniques.
Vet
