I spend much of my time on the road conducting presentations on application security for various audiences. Of all the groups that I speak to, developers are a favorite of mine. Developers get a bad rap when it comes to security. They are generally blamed for creating vulnerabilities, not thanked for preventing them. While it's true that a developer somewhere is responsible for creating just about any vulnerability, I don't blame them. Developers build what we ask them to build. Plain and simple. The problem lies in the fact that we've not historically asked for security. What we've asked for is functionality and a project that is released on schedule. Unfortunately, those two requirements generally work in opposition to security.

Slowly, we are coming to the realization that when it comes to application security, the only complete solution is to ensure that the application itself is secure. While defense in depth solutions such as firewalls, IDS/IPS technologies, etc. can increase the enterprise's overall security posture, in the end, they are band-aid solutions designed to protect vulnerable applications. With enough time and effort, these defenses can be bypassed and the vulnerable technology exploited.

With this realization we're now finally asking our developers to start worrying about security. That's a bit of a scary proposition for most developers who have been building applications for many years without a need to focus on secure coding because ‘the security team takes care of security'. We're now asking developers to learn a new discipline on top of the ever evolving world of software development. Why then do I enjoy speaking to developers? The answer is simple - despite the challenge, they want to learn. Developers do not for the most part despise security. On the contrary, they want to embrace it but no one has ever shown them the way. Take a look at any programming textbook or university course syllabus - where are the chapters or lectures on security? There not there, but they need to be. Developers, like anyone tasked with building something from nothing, take pride in their work. They want their code to be secure just as much as they want their project to have adequate functionality but they need the resources and training to make that happen. I enjoy speaking to developers because I so often see that ‘lightbulb moment'. For the first time they say ‘ah, so that's what XSS/SQL Injection/[Fill in vulnerability type here] is. I'd heard the term but had no idea what it was or how to fix it'. As a presenter, that's a very satisfying moment.

Educating developers to produce secure code is no small task and will not happen overnight. A first step requires providing developers and their employers with a metric to measure both current developer knowledge and assess progress over time. SANS has recently launched the Secure Programming Skills Assessment, a collection six examinations covering various programming languages (C, C++, Java, .Net, PHP and Perl). The goals of the project include enabling employers, consumers and the developers themselves to be able to assess the secure coding knowledge of those involved in a software project. While the exams are designed to benefit multiple parties, I expect that developers will receive the greatest benefit as the exams will allow them to identify their own deficiencies. SPI Dynamics was one of the many contributors to this initiative and having looked at some of the content, I can assure you that the questions can be quite challenging and I expect that the exams will be an eye opening experience for those that choose to take the exams. If you're interested, in learning more take the time to listen to a recent webcast that was conducted to launch the initiative. I had the pleasure of sitting on a panel with a group of industry leaders where we discussed the types of application vulnerabilities that we're seeing and what we believe needs to be done about them going forward.