As an experiment, researchers at the University of Bonn posed as a client trying to develop software. They hired 43 freelance software developers from Freelancer.com for either 100 Euros or 200 Euros.
They asked the freelancers to develop a small part of a fictitious web site, the site’s registration system.
Since this was a university research study, the university’s ethics board had to approve the deception. After the study all of the developers were told they could withdraw from the study. None did.
The project was written in Java and the developers ranged from 22 to 68 years old.
The researchers said:
“Our sample shows that freelancers who believe they are creating code for a real company also seldom store passwords securely without prompting,”
16 of the developers copied code from the Internet which wouldn’t be bad if the code they copied was secure.
Many of the developers didn’t understand the difference between encoding and encryption. Not a great sign.
Bottom line here – DON’T ASSUME THAT DEVELOPERS UNDERSTAND SECURITY. DON’T EVEN ASSUME THAT THEY UNDERSTAND THE WORDS, BECAUSE, AT LEAST IN THIS GROUP, THEY DIDN’T.
We train our development teams in secure development lifecycle practices. Most developers are really receptive to it, but just not trained.
This is especially true for developers who come out of boot camps and trade schools and also for developers offshore. It is just not part of their training.
Commercial software (like Microsoft, believe it or not) is much more likely to be implemented using secure development lifecycle practices than in-house developed software. That is why companies like Microsoft are willing to pay up to a million dollars for a zero day bug – their code has become much better over the years.
Unfortunately, the opposite is true for in-house developed software. There is usually very limited training; often no dedicated quality assurance teams; penetration testing is rarely done and schedule is often the dominating factor in determining when the code is fully baked.
Now here is the bad news. Microsoft (and I am just using them as an example) can afford to spend tens of millions of dollars in the case of some horrible breach caused by their software.
Software development lifecycle training is not a “one and done” kind of thing. It is an over and over kind of thing. You are never done. 24 years after Bill Gates infamous memo and order to stand down all development activity for security training, they are still working on secure development practices.
Is your company?
If you do not have an active and ongoing secure development lifecycle training program and the practices that follow from that in place in your company, you should start one now.
Unless you want to be in the news. For all the wrong reasons.
Source: The Register.