The trend in software security training is towards common, standardized training for developers, according to the software security firm Cigital. This is contrast to the earlier days of security training which tended to be tailored for specific technology stacks and toolsets.
Per a recent Cigital blog post:
We’ve seen some significant changes in the Training part of the software security market. First, most firms have come to realize they are not a special snowflake when it comes to writing secure code. For years, the vast majority of firms felt that software security training had to be an exact, customized match for their skill levels, their technology stacks, their SDLC, their coding standards, and even their IDEs. It took a while for many firms to understand that the origin of their XSS and CSRF bugs, for example, was probably not their choice of IDE or SDLC, it was rather tied up in how their code was being attacked based on its design and implementation.
XSS issues are XSS issues, regardless of the nature of your application. This is one reason projects like OWASP can provide standard cheat sheets and guidance regarding different vulnerabilities; ultimately, at the end of the day those of us writing web applications speak HTML and Javascript, and any attack which leverages those languages will affect us all.
Links:
- Software [In]Security: Software Security Training – trends in secure software training and the source of the above quote
