Thursday, August 27, 2015

Security Awareness of Software Developers

As Chief Architect and Co-Founder of the Secure Code Warrior platform, I am trying to stay close to the developer community and especially the ones that are interested in cyber security and secure development. One of those touch points was last week in Berlin (Germany), during a cyber security training conference of the SANS Institute where I was teaching the SEC542: Web Application Hacking course. There were at least 10 developers out of the 20 attendees (which is very positive because I have never had so many developer in one class).
On the first day, I surveyed the class and checked how many knew what a “SQL injection” and “Cross-Site Scripting (XSS)” attack was.  Both weaknesses that have been around since 1999 (first publication of SQL in Phrack magazine and XSS 10th birthday was in 2009 according to Microsoft) . Most of the ten developers had heard of these terms, or had been confronted with them during an audit or just because they were interested in the subject.
On day 5, the second last day of the training, we focused on the technical consequences of such vulnerabilities. I demonstrated to them how hackers abuse the SQL weaknesses to gain access to data stored in a SQL database but also how this could be further abused to gain access to the operating system under certain conditions. I also used the Browser Exploitation Framework to show the impact of a simple javascript injection and how this could lead to controlling the victim’s browser and manipulating session data.
Most of the developers in the class never knew this was possible with those types of attacks. They knew these security concerns were important but had never thought the consequences could be so devastating for an organisation. This shows me that even developers who are interested in the subject (why else would they be in the class room in the first place?) do not necessarily have sufficient awareness around security weaknesses and do not think the same way as malicious hackers.
How are developers supposed to write secure code if nobody ever teaches them about the consequences and more importantly how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?
Pieter