• Log In
  • Sign Up
    • Education definitely has an important role to play here. I don't have any formal training myself so I may not be the best person to pass criticism, but I think every CS program should at least include basic education about common security issues like buffer overflows (in unmanaged languages), unsanitized user input, and insecure password storage.

      Establishing a security review process for new projects and (at minimum) a security-conscious code review process for all code changes is important, and can be done even if your company doesn't have a dedicated security program.

      One of the most beneficial things you can do is to try to architect your code and services in such a way that doing things securely is easy and doing things unsafely is hard. This way new people are less likely to screw up while they learn the ropes, and dangerous mistakes are more likely to be caught because they'll probably be more obvious.

      In the web industry (the industry I'm most familiar with), I think there's an artificial divide between "security people" and developers that really isn't helpful and doesn't need to exist. The result is that web developers often don't think about security ("I'm not a security person!") and security people often look down on web developers and think they're idiots ("How can you not know about SQL injection?!").

      It would be great if there were less of a divide and more experts sharing their knowledge in non-judgmental ways. There are tons of conferences and training sessions web developers can go to to learn more about web development, but they very rarely feature security-related content, and if they do it's often as an afterthought. I'd love to see that change.

      But for individual developers who aren't sure what they need to know, I think the best advice I can give is to read everything you can. Code, articles about code, books, but especially code. You can learn so much from reading the code of open source projects you use, or even just the closed source projects you work on at your job. When you see something you don't understand, ask questions about it.

      That's more or less how I've learned everything I know. 🙂