Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- réseau


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Une victime de Windigo témoigne
- JERLAURE lance le datacenter de proximité DATACENTER BUSINESS DEVELOPMENT By Jerlaure
- Cortado offre aux utilisateurs le contrôle de la sécurité de leurs fichiers partagés avec Cortado Workplace
- La réponse Check Point face à la vulnérabilité Heartbleed
- NSS Labs place la solution de protection contre les malwares avancés de Cisco AMP parmi les meilleurs systèmes de détection des attaques
- Les couloirs rapides SlimLane d'Automatic Systems sont compatibles avec la technologie S.I.B
- HEARTBLEED McAfee distribue un outil gratuit pour vérifier si un site web a été affecté
- A10 Networks présente les tout premiers ADC 100 Gigabit Ethernet dédiés aux services des couches applicatives 4-7
- Colt mis à l'honneur dans le classement pan-européen Gartner pour son infrastructure réseaux
- OVH, premier registrar à proposer les nouvelles extensions dans le respect de la loi sur la conservation des données
- Les Salons Cloud Computing World Expo et Solutions Data Center Management L'édition 2014, toujours plus...
- Etude 2014 Olfeo sur l'utilisation d'internet au bureau
- Appel à mobilisation nationale contre les écrans publicitaires numériques
- Riverbed présente SteelFusion
- Vigilance - OpenSSL injection de données via OPENSSL_NO_BUF_FREELIST, analysé le 14 04 2014

Dernier articles de SecuObs :
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles
- #LPM2013: Un nouvel espoir ?
- L'ANSSI durcit le ton
- Assises 2013: Nouvel élan de jeunesse
- OWASP Framework Security Project, répertorier et fixer les contrôles de sécurité manquants
- Le bracelet Nimy, une solution d'authentification à 3 facteurs utilisant un capteur d'ECG

Revue de presse internationale :
- Update As many as 27,000 University of Pittsburgh Medical Center employees affected by data breach
- HeartBleed in the Wild
- 7090 Public Safety Answering Point PSAP Callback
- 7204 Requirements for Labeled NFS
- 7205 Use Cases for Telepresence Multistreams
- 7207 A Uniform Resource Name URN Namespace for Eurosystem Messaging
- HPR1490 HPR at NELF 2014 Part1
- IN Employee defection sparks battle between brokerages
- PE Injection Explained - Advanced memory code injection technique PDF
- In Mississippi, Gov't Text Messages Are Officially Public Records
- Daily Blog 298 ANJP New Beta Release
- Increase Maximum Run Time in ConfigMgr for a Successful KB2919355 Deployment
- Samsung Galaxy S5 fingerprint reader hacked it s the iPhone 5s all over again
- Clicking Like can cancel your right to sue a company
- Michaels Aaron Brothers Breaches Compromised 3 Million Records

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- #FIC2014: Entrée en territoire inconnu
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Trames et paquets de données avec Scapy – Partie 5] Traceroute et visualisation 2D/3D
- Le ministère de l'intérieur censure une conférence au Canada
- USBDumper 2 nouvelle version nouvelles fonctions !
- Powerpreter, un nouveau module Powershell de post-exploitation pour Nishang 0.3
- [IDS Snort Windows – Partie 4] Conclusion et webographie
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- OSSTMM une méthodologie Open Source pour les audits de sécurité

Top bi-hebdo de la revue de presse
- Introducing the rsyslog config builder tool
- 1,103 Megaupload Servers Gather Dust at Virginia Warehouse
- Windows Zero-Day Vulnerability Researched by Microsoft
- Using masscan to scan for heartbleed vulnerability
- Du bitcoin à  l auroracoin, les cryptomonnaies en plein essor
- OpenSSL bug CVE-2014-0160
- cartographie en France et au Luxembourg des Data Center - édition 2014
- Move Active Directory users to a group with PowerShell
- Implementing SCADA Protocols Simulating IEC104
- toolsmith EMET 4.0 These Aren t the Exploits You re Looking For

Top bi-hebdo de l'annuaire des videos
- Backtrack 5r3 Armitage Metasploit
- Tutorial 14 Pfsense OpenVpn RoadWarrior VPN
- Mikrotik All in one hotspot pppoe client with radius
- Tutorial 15 pfSense Squid Squidguard Content filtering
- Comment Pirater Un Ordinateur Avec Ubuntu Metasploit
- crypt server njrat darkcomet bifrost xtremrat spynet zeus botnet
- How to OpenVPN gui PrivatVPN
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Bbkeyswin WPA d une Bbox en 2 min sous Windows
- Metasploit msrpc exploit

Top bi-hebdo de la revue Twitter
- Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffins. Hackers re…
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- [Blog Spam] Metasploit and PowerShell payloads
- RT @helpnetsecurity: Proxy service users download malware, unknowingly join botnet //How ironic.
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- Zombies are attacking America – researchers - Banking sector DDoSers 'used botnets', say security boffins Hackers re...
- #networksecurity #cloud Expert QA: Cloud computing, HIE will be the 'new normal' - Ken Ong: The National Institute ...
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- An inexpensive proxy service called is actually a front for #malware distribution -

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

Implementing a Security Training Program

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



Implementing a Security Training Program

Par codesecurely.org
Le [2009-03-10] à 11:08:47



Présentation : Having discussed the importance of security training and really its criticality ? without security training most software security programs are doomed to failure ? I wanted to spend a little bit of time talking about how to go about creating such a program. Really the expert at this is one of my co-workers Roman Hustad who hopefully will write in detail about this at some point (for now he is on a long hike to nowhere way up North J - lucky him!). Anyways most of this post is really inspired and attributed to things I have learnt from Roman. Here's what we will talk about in this post: * Who needs to be trained? * How do you scale? * How to be effective and efficient? * How to measure success? Who needs to be trained? In a word "everyone". The bottom line is it is not just the developers who play a critical role in building software, there are a bunch of other roles involved in the process and all too often companies tend to ignore or entirely forget about the impact these other folk can have on your software security. * Let's start in the beginning: well the business ? whether this is the product management teams in an independent software vendor or it is the business units who need the specific application being developed in an IT organization. The business must be trained on why this security thingie is important in the first place. Ultimately in some way they pay the bills and decide the schedules ? they will therefore need to buy off on the concept that during the development process we will engage in security activities that seemingly provide no direct value at least in terms of functionality. * Secondly, the business analysts, requirements specialists or whatever it is that role is called ? the people who write software requirements. It is essential that they understand how to document security requirements. They need to understand what the different organizational drivers for security are ? whether these are specific regulations that must be complied with, industry specific standards, company policies and then security features themselves. * Next are the architects, designers and developers. This is where the bulk of the training investment will be made. Most of the other groups discussed here are relatively small and the quantum of information that they need to be provided with is not that large either. With this group really the sky is the limit and the training has to constantly be evolving as the security industry itself evolves. This group needs to be trained into secure design and architecture principles, secure coding practices (in each of the languages that they work with) as well as in performing threat models, doing code reviews and security unit testing. As you can see this could become a one year graduate program in itself J so we will discuss some strategies later in this post of how to deal with this. * Testers. For some reason everyone tends to forget these poor souls. Given that their charter is to test software, why not provide them with the training and tools to test the security of software? * Deployment and operations engineers are the next group. Responsible for installing and maintaining the application in production, software security training is critical to teach them how to configure and run the application securely. This is everything from the need to patch servers and third party components to the SSL configuration on the web server or from the secure configuration settings in the web.config or web.xml files to the service contexts and credentials. * Finally the users themselves. Security awareness is critical for the users in general because guess what even if their account for instance is compromised due to their mistake (perhaps they provided their password to someone claiming to be from your helpdesk), they will most likely still blame the application ("well no one told me that I was NOT supposed to give my password out! And they did say they were from your helpdesk!"). How do you scale? One challenge that any company that is looking to implement a security training program runs into is how to scale? A lot of the development groups I run into have hundreds or even thousands of developers ? and like I said above this generally tends to be an issue only with developers; other groups above tend to be smaller or don't require as broad of a training regimen. So how do we train each and every one of those while still ensuring we deliver products on budget and on schedule? Do we need to train every single developer? Most training classes tend to be spread along the space of a week so how can we afford to take all of our developers off their work tasks for a week? It's not just about the money but about the time as well? In my experience this is best dealt with by creating a tiered training program. Essentially, for every team (depending obviously on the size of the team) create a new role called a software security architect. This person should become the "go to guy or gal" for anything and everything related to software security. Once you have this type of a development organization in place, the task if providing training becomes significantly easier. The Software Security Architect is obviously provided with elaborate training and education. This could take the form of one to two weeks of training on security and the development technologies and how the two relate to each other. The average developer on the other hand can be provided with 4-8 hours of software security awareness that covers the importance of security, security principles, and common mistakes that development teams make and how to avoid them. They don't have to for example attempt to become experts at cryptography or authentication protocols. Anytime they need help with such things they can go up to their Software Security Architect. In fact chances are their Software Security Architect might have built a nice little API for all of these complex security functions. This tiered program allows you to both achieve a goal of having all of the development staff being trained in software security while also letting you do this and indeed scale across the hundreds or thousands of developers you might have without putting your entire business on hold while the training is being disbursed. Finally another strategy I have seen successful albeit on a smaller scale is to provide training as part of annual developer summits or geek clubs if your teams already have those. This is a good opportunity to impart training or more likely at least awareness when a large collection of representatives from your development teams happen to be in the same room for perhaps other purposes even. How to be effective and efficient? Once the decision to disseminate training has been made, there are a number of things that can be considered to make the entire process both effective and efficient i.e. how do we make sure we are successful both at truly increasing the average knowledge level from a software security perspective as well as do so at the minimal cost. Firstly for the shorter duration classes (4-8 hours) consider self paced computer based training (CBT) classes. Obviously with CBTs, you do gain the advantage of being able to start and stop at any time and incurring minimal cost per student. On the other hand you perhaps lose the hands on experience and interactivity with a live instructor. CBTs therefore work well for training that does not have significant hands on component ? for example talking about the fundamental principles of software security or the common mistakes such as avoiding buffer overflows and SQL injection. Live training is much better suited for the intricacies of implementing cryptography or an authentication protocol. You might also prefer live training when your development teams are not too large and are comprised of highly experienced individuals who are likely to have tones of questions. Another thing to consider is how to position this training. All too often we see companies mandating training in response to a compliance objective and pushing it down to the employees in a similar fashion. Instead it is always better to sell training internally as an investment in the employees. Security is an increasingly popular component of the skill set for developers and thus any formal or informal training they might have on this aspect adds value to their career and helps in its progression. This is especially true for the software security architects. As mentioned in the sidebar it is vital that the person that fills this role be part of the development team and not be supplanted from a security team. Moreover, this role can be made a track in the developer career path wherein senior developers and development leads can fill the role after gaining sufficient development experience with the technologies in use within their teams. This is an excellent way to sell the role to development teams with the carrot rather than the stick approach ? the carrot being the tremendous investment in terms of personal training that will be made into this individual. One aspect of training that is often forgotten is that the training itself can be forgotten! It is therefore vital to have at least yearly refreshers where not only is the material covered again but is also updated to account for the research that came out in the previous year. This is especially important since the world of software security is evolving at a rapid pace wherein problems that were considered purely reliability issues suddenly allow an attacker to remotely exploit them. There is also the opportunity to impart some of the continuous training through the threat modeling and code review processes albeit in an informal manner. By discovering bugs and flaws and discussing how to fix them we are subconsciously training the development teams to avoid them in the future. If you considering bringing in an outside vendor for training, also consider having them customize their stock classes with examples, references to policies and procedures and contacts for people within your own environments. Ensure that their instructors are developers in the languages that they are going to be teaching. The last thing you want is someone who has never programmed in that language to teach people based on knowledge gained from a textbook. Finally, and along similar lines it is also helpful if the trainer has experience of working with similar enterprise applications as your own. Finally, another effective strategy is to ensure that at least the security awareness training is part of the developer on boarding process. This means that such training must be integrated with the new hire training and package in general. This ensures that before a new developer even touches any code within their respective development teams they have at the very least gone through the fundamentals of software security. How to measure success? As Lord Kelvin once famously said "If you cannot measure it, you cannot improve it." So the question obviously always arises how do we measure the success or effectiveness of our software security training if you will. For that matter that is something that we can ask of any form of training. There are a number of mechanisms I have seen to be useful for this. Perhaps the easiest way is to tie the measurement into the training itself. For example, a quiz or test at the end of the training or perhaps after each module or component of the training. This is the quick and dirty way if you will but multiple choice quizzes are not always the most effective at measuring success ? they are more likely measure the memory of the individual than the true understanding of the concepts. Of course you could take this further and make them more detailed assessments where perhaps in a lab format, students have to actually write code that corrects a software security problem in an existing code base. At perhaps the other extreme is measuring actual improvement on the ground. This is typically a much longer assessment and at first look appears that it would cost a whole lot more besides just the cost of training itself. However, if you think about the assessment not just tied to the training but to the larger software security program, the assessment might not appear to be as heavy. To perform such an assessment, it is important to first create a baseline based on the current state of affairs. Consider performing threat models, code reviews and penetration tests of 5 to 10 of your most critical applications. The results from these security activities will form the current score if you will. Then go through the training program you have chosen to adopt. Don't worry about new individuals joining the team and other such changes too much since they will in reality reflect changes to your team as they would normally occur and hence don't necessarily represent an anomaly. Once the first run of training is completed ? perhaps a year to 18 months down the line ? run a secondary series of assessments possibly on the next versions of the same applications. If your training and software security program was truly effective you will hopefully see an improvement in the results from your current score from earlier. If you see a slip downward obviously you have a problem and have to question why there was no improvement or indeed negative improvement if you will. On the other hand even if the improvement does not meet your expectation as well you can question which activities are not having the desired effect and why that might be the case. Hopefully the longish post above will provide you with something useful as you look to create your own software security training program. In fact the more I think about it the more I realize that this will perhaps help in any type of training program. I would also be very interested to hear from you of any other valuable lessons you might have learnt from your own experiences ? what worked and what did not for instance. Good luck J. Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it![][]

Les mots clés de la revue de presse pour cet article : security
Les videos sur SecuObs pour les mots clés : security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clés : security



AddThis Social Bookmark Widget



Les derniers articles du site "codesecurely.org" :

- Administrivia: Wiki updated!
- MindMapper vs. MindManager
- Security Threat Level Down to Fuchsia?
- Patch Tuesday Blues
- TechEd 2007
- The Art of Managing Up ? When Sucking Up Isn?t Gonna Cut It!
- Speaking at SD Best Practices 2007 in Boston
- Why Software Security Must Be Holistic
- Implementing a Security Training Program
- Lessons in World Geography




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :