Now the real problem is that the developers should deal with the application level security issues, when many fail to do properly as well, mainly due to lack of education. Safe, reliable programming techniques are still not taught in computer science, at least not last time I checked.

Second – I’d like to reiterate what Dave Ladd said in his SDL Blog entry. There is a difference between education and training. I believe that technology basics such as networking and protocols should be part of the education curriculum for folks getting a CS degree. All developers won’t necessarily have a degree in CS. I occasionally hack things together and don’t have a CS degree. But I strongly believe that people working on/in technology should have a basic understanding of how the technology actually works. I don’t want someone to tell me TCP header offsets or hand-type HTTP to a server (though its a nice skill to have for troubleshooting) but they should at least fundamentally understand how these things work.

To echo what Lori says though I’ve almost never met serious developers who don’t want to learn these technology basics when given the opportunity. Hence my focus on educational opportunities for folks wherever I work. The attendance is usually fantastic – even if they know who I am

Those are good insights, and I can see where there gets to be too many things to learn. There are many times when I as a security professional have been asked security questions around applications, and I have to beg off because that is not my field of expertise.

But in today’s world, security HAS to be the priority. It sucks, but that is reality. Honestly, I don’t know how to make that happen exactly. Training programs and university degrees are a good start. But with so much relying on the application today, they are the focus of attacks. And unfortunately, technology can only really catch the low hanging fruit.

Michael

Having been a developer for over half my life, hopefully I can provide some insight.

I think part of the problem is that developers today are overwhelmed by the amount of knowledge across domains within application development they need just to develop apps, let alone the myriad networking and security issues that we want to heap on their plates. They need to understand the frameworks in which they develop (.NET, JavaEE, OWL, Spring, RoR, etc…), they need to understand the business logic so they can implement it, they need to understand the application server environment into which they will deploy their applications. It’s almost crazy to ask them to not only dig into what are rightfully considered transport layer protocols (even HTTP is transport layer to most developers today) let alone understand the security risks inherent in each of those protocols.

There’s been a lot of talk about universities focusing degrees on different computing domains: networking, security, development, but there’s been very little discussion inside the area of development on focusing in on specific areas of expertise. Perhaps that’s what is needed, because as the base of knowledge required to be a developer expands to include all these areas there are very few developers who’ll be able to keep up. Remember they have to learn the specifics of the business, too (the difference between a “shipment” and a “movement” in transportation and logistics is apparently very subtle, and yet very important! ) and that’s not something they can learn in college, it’s on the job, period.

Given that, I think it’s often not necessarily a lack of interest on the part of the developer, but rather a lack of time and prioritization.

Lori