One of the greatest issues I see affecting organizations today is the lack of corporate support for developer and administrator security education. So, I would like to provide you some useful information about security training and events to help supercharge your learning and keep your teams up-to-date with news about new threats and attack methodologies.
Unfortunately, training budgets are often the first area considered when attempting to reduce spending. This is nothing new in business, and is not simply due to the effects of “poor economic conditions”; it’s just a fact of life. I include below a few training considerations and several cost effective options (some are even FREE – we like free). But before we get there, why are many organizations not familiar with secure coding practices and common vulnerabilities, and why is proper training important?
Higher education such as traditional and online universities are often not adequately prepared to support students in understanding software vulnerabilities as a regular part of network administration or programming related degrees. Higher education often focuses on “educating” future software developers but lacks concentration on building security into applications and the System Development Life Cycle (SDLC). Many of the software engineering degrees offered at major universities do not focus on secure programming principles, but yet focus primarily on functionality and core programming principles. Ultimately, the goal at school is to “make it work” and too often the “don’t let it break” part is practically ignored. The lack of focus on building security into the SDLC causes many organizations to implement security as an afterthought instead of as a comprehensive approach to deploying application as services securely. Training and educating administrators and developers are key parts to understanding the risks and financial impacts that can be experienced. Failure to keep your staff up to date with the current trends in security can expose organizations to avoidable risks.
Some of the top security conferences listed below will allow you and your organization to learn about current trends, attacks, mitigation techniques, newly discovered vulnerabilities and their possible impact on your organization’s security.
DefCon – www.defcon.org
BlackHat – www.blackhat.com
Computer Security Institute (CSI) – www.gocsi.com
RSA - www.rsaconference.com
CanSecWest – www.cansecwest.com
Toorcon – www.toorcon.org
These are some of the most popular conferences to attend; however, many other national, international, and local conferences occur every year. All of the listed conferences can help augment the knowledge and skill sets your team needs to address today’s security concerns. Conferences are also great for a “snapshot in time” approach to the latest and greatest developments in the security field; however it is not a replacement for learning the principles of secure programming and how to avoid common mistakes.
Can’t make it to a conference? Here is a little tip: Google.
Many of the conferences occur on a regular basis and over the years it has become easier than ever to view the quality content of many presentations given at conferences for FREE.
At www.securitytube.com you can often view full length quality video of presentations given at these conferences at no cost. As I am writing this blog post there is a surge of new videos being released from this year’s BlackHat and Defcon conferences.
Defcon makes many of presentations from years past available as Podcasts. Other conferences such as Shmoocon also make content available for free after the conference.
Another great resource allowing you to get your weekly dose of security training is PaulDotCom’s weekly podcast. The team over at Hak5 also allows you to subscribe to podcasts or watch content on their web site (www.hak5.org).
Lastly, initiative such as US-CERT Secure Coding (http://www.cert.org/secure-coding/) and the learning tools provided by the Open Web Application Security Project (OWASP, at www.owasp.org) can also prove to be valuable for spotting and preventing the most common application development and deployment mistakes.
So, do we always need to pay conference or entrance fees to stay up to speed on security? No!
However, I for one enjoy going to the conferences because of the networking, insightful presentations, and or course, supporting the information security community.
In October, Paul Petefish (Solutionary Security Consultant) and I will be presenting “My Vulnerability Scanner Didn’t Find Anything: Now What?” at CSI 2010 on October 29 in National Harbor, MD; stop by and say “hi” if you see us!
