Some of the reasons developers don’t use tools: Not needing the functionality, they’re not part of the development process, and it’s hard to convince management they’re necessary. Rob Cheyne, founder and CEO, Safelight Security Advisors, weighs in on these issues and points to debuggers as an example of a tool category that took some time to catch on. “The tools that truly improve ROI will always be adopted in the long run,” says Cheyne.

Full Story

Rob is an expert in training development teams on application security and can be contacted at rcheyne@securityadvisors.com

An interesting little rumor recently made its way across the Internet. Twitter, the poster child for Web 2.0 social networking, has apparently been having some security problems. It turns out that the attackers didn’t need to do anything sophisticated at all. For at least one of their systems, Twitter’s admin password was, wait for it … password.

As an author of a well-known password cracking tool L0phtCrack, I have seen thousands of cracked passwords at a time, and I’ve got to tell you, this is not particularly surprising. I can assure you that the most popular password on the planet is indeed password, followed closely by things like:

• secret
• welcome123 (or other default passwords)
• qwerty, asdfg, (and other silly keyboard patterns)
• Porsche, Mercedes, Ferrari, etc.
• Red Sox, Yankees, Patriots, etc., etc., etc.
• Name and/or birth dates of loved ones, friends, pets, etc.

You get the idea. Password technology has been fundamentally flawed for quite some time, but with solid security practices, and the right training, it can still be used effectively if you know how. Unfortunately, most people don’t know how, even some of the ones who should.

Of course, Twitter’s comeback was that this was for a system that didn’t need to be as secure. I’ve got to be honest here. I’ve heard that one before – it’s called an excuse. We need to stop being afraid to come out and say, “Yes, there was a security incident. We were a bit lax in our security procedures and we have addressed the holes. We’re taking it seriously and correcting the mistake to lessen the likelihood that it happens again.”

As long as there are humans running systems, there will always be security flaws. Everyone makes mistakes, and some of those mistakes cause security holes.

But c’mon, password??? I’ve conducted security reviews for many large enterprises, and from what I’ve seen, when people make such basic mistakes, there are almost certainly far bigger flaws elsewhere in the system.

You see, passwords are just the tip of the iceberg. Building a secure system requires a very different mindset than simply “make it work.” And it is significantly more difficult if everyone on the team doesn’t have it. In my next post, I’ll talk more about the effects of the human factor in security and some of the biggest people problems.

–Rob Cheyne
rcheyne@securityadvisors.com

FOR IMMEDIATE RELEASE

Media Contact:
Kim Novino
Safelight Security Advisors
508-981-9732
knovino@securityadvisors.com

Safelight Security Advisors Launches e-Learning Security Courses for Software Developers

Web-Based Modules Offer Comprehensive, Cost-Effective On-Demand Training

Boston, MA, February 25, 2009 – Safelight Security Advisors, (www.securityadvisors.com), a security education company that delivers application security training to developers worldwide, today introduced electronic learning versions of their widely-taught instructor-led courses: Application Security Fundamentals and Secure .NET Coding. The courses bring a real-world understanding of the hacker mindset to application developers in a comprehensive, yet cost-effective computer-based offering that makes it easier for developers to learn at their own pace and schedule. Users can sign up for a free demo license at www.securityadvisors.com/offerings/hacker/. A third course, Secure Java Coding, will be available at the end of Q1 2009.

Unlike other security e-learning products which provide basic information delivered in a static format, Safelight’s e-Learning courses incorporate deep content with interactive features designed to engage students. The modules offer Adobe Flash-based web content, clear and logical menu-based navigation that allows students to pause, skip or jump to any part of the course at any time, learning objectives that are reiterated throughout the course, and interactive games and quizzes to increase student interest and re-enforce their learning.

“The truth is that an attacker knows much more about breaking into your system than the average developer knows about writing secure code. These advanced e-Learning courses shed some light on what developers are really up against and then teaches them what they need to know to build solid defenses,” said Rob Cheyne, founder and CEO, Safelight Security Advisors. “Our computerized courses combine the depth of our instructor-led training with e-learning best practices designed to utilize the different ways people learn.”

Safelight’s e-Learning courses are currently being rolled out to customers in the retail, government, financial services and employment services sectors.

The Application Security Fundamentals e-learning course can be completed in 3-4 hours and is appropriate for all members of the application development team. No prior background in security is needed. The Secure .NET Coding course is for experienced developers and is designed to be used in combination with Application Security Fundamentals. For more information, visit www.securityadvisors.com.

About Safelight Security Advisors

Safelight Security Advisors is an information security education company that delivers application security training programs through effective e-Learning and instructor-led training. Safelight develops its information security education programs for development teams, executives and general staff. The company’s core courses focus on application security, secure coding, secure architecture & design, and security awareness. For more information, visit www.securityadvisors.com.

Banking on Education: A Case Study on Developer Security Training

Speaker: Paul Hinkle (Chief Technology Officer, Safelight Security Advisors)
Date/Time: Friday (March 13, 2009) 1:30pm — 3:00pm
Track: Security
Presentation Format: 90-minute Case Studies
Audience level: All

Presentation Abstract

Four years in the making, State Street Bank has created a pioneering security education program for its internal developers: both employees and contractors located in multiple countries. This case study will discuss how to properly implement an internal security training program. It will discuss the unique challenges State Street faced, how they were addressed, and the process the company went through to create a successful training program that is now mandatory for all staff involved in systems development worldwide.

Please email info@securityadvisors.com for a discount code to receive $100 off the lowest price.

(10 June 2008)

Rob Cheyne, founder and CEO, Safelight Security Advisors, believes that security is everyone’s job. The @stake and Symantec veteran says security practices must be woven into application development and everything else. He spoke with CSO Magazine’s Kate Walsh about why enterprise wide security education is critical.

Full Story