Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program. Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard. Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise. This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements. The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.
John Dickson is a Principal at Denim Group, Ltd. and a CISSP who helps CSOs manage secure software initiatives. He is a Distinguished Fellow of ISSA and one of the civilian advisers to the Air Force Space Command, which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation. Dickson is a former U.S. Air Force officer who specialized in network defense and command and control while on active duty and Air Force Reserves. He joined Denim Group after holding several leadership positions at SecureLogix Corporation, including Regional Vice President of International Operations and Director of Consulting. Before SecureLogix, John specialized in security architecture development, electronic commerce, corporation information protection, and intrusion detection as a Manager with KPMG’s Information Risk Management consulting practice in Dallas. He was a consultant with Trident Data Systems, a Los Angeles-based network security consulting firm, prior to his tenure with KPMG. His experience at Trident included network penetration projects, firewall project management and enterprise security reviews. He also founded and operated one of San Antonio’s first Internet Service Providers, Onramp Access, from 1995 to 1997.