January 10th, 2019
One session that I went to today was "Making and Baking an Application Security Department", presented by Bill Sempf. Bill disclosed his experiences in regards to training application security developers, touching on the current AppSec developer shortage and ways to resolve the shortage. It was difficult to approach training people that were coming from different backgrounds without experience architecting and building large, service applications. Although not impossible, he seemed to conclude that it was extremely difficult to train developers with little experience (under 20 years) or train those that had a security background but no development experience. He urged senior devs to move into AppSec roles and engage all developers by teaching them about security tools.
Bill talked about the journey of several developers that he either trained or advised. They all entered security with different skill levels and backgrounds. One had started in security but did not develop software. One was a self-taught developer that saw a need for security groups. One who was completely new to development and graduated from a non-traditional development program. And one that had a few years of developing experience after getting a degree in Computer Science. What was very clear was the drive that these developers had; they were all eager to learn and fascinated by how things worked. They were all comfortable figuring things out through research to the point where they could get support from a senior dev. However, he said, this was not enough. Beyond determination, they needed training from senior devs with nearly rare to find experiences. They needed to understand how software worked; how the underlying protocols worked; web services; why different kinds of web services existed; how APIs worked; how databases worked; how anything worth hacking worked.
One issue that contributed to this training difficulty was education or the lack of formal, application security education. The set of people currently able to solve security problems is very small. Those who have been writing software for 20+ years are the best resources for protecting applications and training teams because they have experience acrhitechiting, designing, and building service driven applications that touch 30+ data sources. Bill suggested that people seriously consider trainings -- but not via sites like Pluralsite and the like. Instead teams should run application vulnerability analysis, manual and dynamic testing, automatic testing. They should then use tools, just as the Open Web Application Security Project, OWASP, to find vulnerabilities or help defend against vulnerabilities.
I'm interested in learning more about OWASP and different security tools. And I hope that more senior devs will be compelled to share their knowledge and formalize trainings for their teams.