There used to be little formal information on security available to developers. 5 years ago, most of the information was developed and shared by hackers of all hats. Today, many materials have been formally developed on the subject and are at the fingertips of any developer who takes interest in the subject. There remains however, a huge gap between those in the know and those who don’t. After thinking about a previous post I made, I have decided to create a security seminar to help companies become more aware of security in an attempt to bridge that gap. Taking a page from Robert Scoble’s Naked Conversations, I intend to develop this seminar right here in my blog. I want to make this an open discussion on how we can best deliver this message and encourage your comments as I bust out the content.
Here are my initial thoughts for the seminar:
Goal:
Help organizations develop a better security infrastructure.
Audience:
All members of organizational units who create products and/or services and those who support their efforts (business stakeholders, developers, administrators, etc.).
Content:
- Kickoff (.25 Day) – Joint Session. Discuss the processes necessary for secure application development. We will look at some of the challenges and benefits of adding security to existing development methodologies. The goal is to have the company realize benefits and start thinking of a plan of action to be discussed in the final session.
- Identifying Threats, User Input (.5 Day) – Technical Session. Would look at threats from user input and how we can prevent them from occurring.
- Identifying Threats, Elevated Privilege (.5 Day) – Technical Session. Would look at threats of an attacker with elevated privileges and how we can prevent them from occurring.
- Threat Modeling – Joint session. Learn how to model threats by analyzing those faced by the particular organization.
- Wrap-up Discussion – Joint session. Foster an open discussion on the realities of implementing a more secure development lifecycle and define a formal plan of action.
(Joint sessions include everyone, while technical sessions are intended for the IT staff, however business stakeholders are welcome to attend. The last two sessions would take up the rest of the second day and be tailored to the group.)
What do you think?