Table of Contents for
Security for Web Developers

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Security for Web Developers by John Paul Mueller Published by O'Reilly Media, Inc., 2015
  1. nav
  2. Cover
  3. Security for Web Developers
  4. Security for Web Developers
  5. Dedication
  6. Preface
  7. I. Developing a Security Plan
  8. 1. Defining the Application Environment
  9. 2. Embracing User Needs and Expectations
  10. 3. Getting Third-Party Assistance
  11. II. Applying Successful Coding Practices
  12. 4. Developing Successful Interfaces
  13. 5. Building Reliable Code
  14. 6. Incorporating Libraries
  15. 7. Using APIs with Care
  16. 8. Considering the Use of Microservices
  17. III. Creating Useful and Efficient Testing Strategies
  18. 9. Thinking Like a Hacker
  19. 10. Creating an API Safety Zone
  20. 11. Checking Libraries and APIs for Holes
  21. 12. Using Third-Party Testing
  22. IV. Implementing a Maintenance Cycle
  23. 13. Clearly Defining Upgrade Cycles
  24. 14. Considering Update Options
  25. 15. Considering the Need for Reports
  26. V. Locating Security Resources
  27. 16. Tracking Current Security Threats
  28. 17. Getting Required Training
  29. Index
  30. About the Author
  31. Colophon

Chapter 17. Getting Required Training

Secure applications that follow best practices and employ all the latest anti-hacking strategies are easy prey to users who are unaware of the need to keep things secure. Social engineering attacks are still the most effective way to break into an organization. Users aren’t inept and it isn’t that they lack the ability to make good decisions—it’s the fact that they often don’t have appropriate training and lack a requirement to retain the knowledge gained. Simply training someone to perform the task well won’t achieve anything unless that knowledge is tested from time to time with repercussions for failure (or perhaps rewards for success).

However, developers, administrators, managers, and all other personnel in your organization also have training requirements. Without proper training, you can’t expect your organization to have even a small chance of keeping hackers at bay. Developers need to keep an eye out for new threats and fix security holes, administrators need to remain vigilant to potential breaches, and management needs to know about the need to provide resources to keep applications safe. In short, everyone has a task to do that requires some level of training to achieve.

This chapter discusses some of the ways in which you can help keep the human element of an application trained so that the application performs better and hackers are less inclined to attack. No, training won’t solve all your problems, but training mixed with secure applications, appropriate support software, and well-designed libraries, APIs, and microservices will give hackers a reason to have second thoughts. A determined hacker will always break your security, but if you can give a hacker a good reason to look for a target with less effective defenses, it certainly pays to do so.

Creating an In-House Security Training Plan

Depending on the size of your organization, an in-house training plan can be less expensive and better than using a third-party trainer or school. The advantage of this approach is that you can teach security as it applies to your organization, which means that your staff gets more in the way of pertinent information in significantly less time. The disadvantage is that it’s unlikely that the in-house trainer will have the skills, education, or experience that a professional trainer will provide. The following sections discuss the requirements for an in-house security training plan.

Note

As with many areas of security, you must consider risk as part of the equation when choosing in-house security training. Yes, your trainer will know all of the security requirements for your organization, but the documentation your organization provides may be incomplete or simply wrong. The risk is one of providing the wrong information to your staff, even when this information more closely aligns with what your organization believes is correct. Using an outside training option often gets staff talking about the latest trends in security and may prompt your staff to make changes to the security plan to better promote good security processes within the organization.

Defining Needed Training

Before you can embark on a training crusade for your organization, you need to have some idea of what sort of training your staff requires. Everyone in the organization requires some level of training, even those who already have some professional training. Creating a list of the kinds of training needed will make it possible to tune the training sessions and obtain better value for your investment. In addition, because the training resources of an organization are usually quite limited, you need to get the maximum value from them. With this in mind, consider the following issues as part of any training plan:

  • The current skill level of your staff

  • General training requirements (those used throughout the industry)

  • Organization-specific training requirements (such as the use of forms or processes)

  • Staff availability

  • Trainer availability

  • Trainer familiarity with specific staff needs

  • Potential training locations

Unless you create a usable plan for meeting training goals, the outcome is that the staff will learn little, trainers will become frustrated, and the value you receive for the time invested will amount to nearly nothing. It’s important to understand that in-house training only provides a benefit when you tailor the setting and goals to take advantage of the in-house environment. For example, a quiet room where the trainer can meet with staff members who require special help one on one usually nets better results than attempting to accomplish the task in a noisy classroom.

Setting Reasonable Goals

A major problem with in-house training is that management tends to set unrealistic goals and the trainer lacks the experience to steer management in the right direction. Because staff members can be unwilling participants, they sometimes feel the trainer should give them a break—a free ride—simply for attending the training sessions. The lack of clearly defined goals makes it impossible for anyone to get what they want or even to know what they have achieved. A lack of reasonable, clearly defined goals often causes even a well-organized training session to fail. In short, goal setting is an essential part of making training work. Here are some things to consider as part of setting training goals for the organization:

  • Develop a plan based on what the organization actually needs for training, rather than what would be nice to have.

  • Specify goals that everyone can understand, using a language that everyone understands, rather than relying on jargon.

  • Ensure the goals fall in line with what the staff is able to learn, rather than what you think the staff should learn.

  • Create goals that use the time you have available efficiently and allow extra time for harder topics because staff members will definitely have questions or simply not understand the material.

  • Provide time for staff members who require individual training or who aren’t able to meet at a specific training time.

  • Use input from all stakeholders in the training arena: management, trainer, and staff should all have a say in what the training sessions provide.

Only when a training plan includes reasonable goals can you hope to achieve anything. It’s important to understand that you might not meet all your goals, so having levels in the list of goals (where meeting a specific level is still considered a win for everyone) is important. You can always create another training session to handle harder goals later—the important thing is to achieve demonstrable results during each training session so you can point to the goals when management asks what the training accomplished.

Note

It might seem as if the trainer should set the goals for training, but this isn’t the best route in many cases. The trainer will spend time getting ready to train staff members in new techniques, so coordinating the training sessions will place an unnecessary burden on the trainer. In many cases, you can accomplish more by assigning another individual to coordinate everyone’s efforts. That way, the stakeholders can concentrate on their specific area of concern.

Using In-House Trainers

Many organizations will require a staff member to perform required training. In many cases, using an in-house trainer does work acceptably, but some situations call for use of a consultant or professional trainer to obtain good results. There are advantages and disadvantages in using an in-house trainer. The advantages are:

Cost
It’s a lot less expensive to use in-house staff than it is to hire a professional trainer in most cases.
Familiarity
An in-house trainer will already be familiar with company policies and the staff that implement them, so it’s easier for an in-house trainer to provide personalized attention.
Availability
Using an in-house trainer means that it’s possible to schedule training around organizational needs, rather than the needs of the trainer. In addition, staff with questions can access the trainer as needed.
Convenience
In most cases, using an in-house trainer is more convenient than having to find someone with the requisite knowledge on the outside. Hiring an outsider effectively means having to hold interviews for someone you don’t plan to retain as an employee.
Known quantity
An organization already knows the knowledge level, credentials, and abilities of the in-house trainer. Some outsiders represent themselves in one light during the interview and deliver something different—something less than expected.

In order to gain these advantages, management must work with the trainer and staff must be willing participants in the training process. Even under ideal conditions, using an in-house trainer comes with at least some of these disadvantages:

Lack of respect
The staff members are already familiar with the trainer as a peer. The classroom environment demands someone who commands respect and the other staff members may refuse to provide it.
Loss of time
An in-house trainer will focus attention on the training task, rather than attending to normal business matters. You can’t expect them to do both. What this means is that you effectively lose an employee before and after the training sessions.
Lack of skill
In general, any in-house trainer is not going to possess the same skills as someone who trains full time. The exception is someone who happened to go to school to become a trainer.
Lack of experience
Even if someone has the required skills and training, the fact that they don’t perform training tasks full time means that they lack the experiential knowledge a full-time trainer will have.

Monitoring the Results

Training is a process of monitoring and adjustment. You can’t simply pour information into people’s heads and expect it to stick (at least, not yet). The reason that schools are supposed to give exams is to help the teacher understand deficiencies in the current curriculum and to aid in making adjustments to it. The same is true of corporate training. In order to achieve the best results, you must monitor the training effort and make adjustments to it to allow for the differences in people and their understanding of the topic. Of course, work-related exams can take many forms. Here are some ideas for monitoring the effectiveness of training:

Written exams
Using an exam to measure the effectiveness of training works in the classroom to some degree and it also works in the corporate environment. Of course, some people know how to bend a test to their will (without actually becoming competent) and some people simply don’t take tests well (despite being quite competent), so this shouldn’t be your only measure of success.
Hands-on testing
Creating a test scenario and having the staff member demonstrate the training they received is another way to check for the desired results. Often the people who fail written exams do much better with hands-on testing. However, hands-on testing still has the same problems that written exams do—some people simply do better at them without really knowing the material.
Practical factors
Training should produce a demonstrable effect in overall workplace efficiency and productivity. Simply watching how the training affects the business can prove that the training is working. For example, a significant drop in security-related errors can show that the security training is achieving the desired goal.
Monitored results
Watching the business as a whole may not tell you everything you need to know about the effectiveness of the training. Sometimes you need to monitor specific business areas, such as a reduced incidence of successful email attacks, to know whether the training is working as desired.
Cross-training
Teaching someone else to perform a task correctly is one method that many businesses fail to think about for assessing the success of a training situation. In order to train someone else, the staff member must absorb the knowledge well enough to use it effectively. A cross-training scenario demonstrates that a staff member actually understands the material and can put it into words that someone else understands.
Warning

A serious problem that occurs during the monitoring process is that people feel threatened and can become unproductive. For one thing, it seems that everyone has this need to blame someone or something for a failure to achieve a specific training goal. However, failure simply points out the need for additional training, not the need for blame (see the article “Defining the Benefits of Failure”). A failure can occur for reasons other than an error on anyone’s part. Wasting time playing the blame game is unproductive. It’s far better to look at the fact that a failure occurred and to provide remedial training to address it.

As you monitor the results of training, you can check off items where the staff has demonstrated adequate knowledge. Where the staff fails to meet training goals, you can re-create the goal and try some other approach in presenting the material. Repeating the same approach to training will generally create the same result—the ability to create multiple methods for learning the same material is essential to ensuring that the staff members actually absorb it.

When training is ongoing, you can use the opportunity of checking off learned goals to generate new goals that build on the knowledge the staff accumulates. It’s important not to overwhelm anyone by creating huge lists that make the task of learning the new material seem insurmountable. What you want to do is create smaller steps with frequent successes so that the staff can maintain a positive attitude toward the training.

The overall goal of any training scenario is to ensure your application and its associated data remains safe. As mentioned earlier in the book, the only way to achieve a secure environment in any organization is to procure staff support for it. Training is part of the process for gaining the staff member’s trust in the application and ensuring that everyone understands the role security plays in making the work environment better. The only way you gain this sort of result is to maintain a positive environment.

Obtaining Third-Party Training for Developers

Third-party training usually promises generic security information that works well for most organizational needs. Of course, you pay more for this generic training than you would using in-house staff, so you’re getting information that is less pertinent to your organization and it’s costing more to obtain it. However, the training the staff receives is more professional and current than an in-house instructor can provide in most cases. What you gain is the quality of training.

Not all third-party training is alike. You can obtain third-party training in several different ways—each of which has advantages and disadvantages. The following list summarizes the most common third-party training options:

In-house security training
A security consultant with training experience comes to your organization and sets up shop in an area you provide. You can provide input to the trainer on the sorts of information that your staff needs. As a result, you can customize the training to some degree and obtain a better balance between generic and organization-specific information. In addition, your staff learns in the environment they work in and use the equipment they normally use. One downside of this option is that you must provide an area for the trainer to work that is sufficiently large to house the staff that you want to train. In addition, this tends to be the most expensive option.
Online schools
When working with an online school, staff members can usually proceed at their own pace, which could mean a better level of training. However, staff members must be self-motivated for this option to work well. The advantage of this training option is that it costs significantly less than most other options and provides high-quality training in most cases. The disadvantage is that staff members aren’t learning in a classroom environment and may find it difficult to get questions answered in some cases. You may also find that the course material is a little more limited than other options.
Training centers
A training center offers a specialized classroom environment with trainers who do nothing all day but teach security. Consequently, this option offers the best generic training and staff members obtain the best level of interaction with the instructor. Training centers normally keep class sizes quite small so that the instructor can spend personal time with each student and motivate the students to do their best. This tends to be a moderately expensive training option and you may find that you’re out additional expenses for the staff members who attend the classes when the training center is located some distance away.
Colleges and universities
In most cases, students gets the same level of training as they obtained when going to school for their degree. The classes may be crowded, the instructor overwhelmed, and the material outdated. In some cases, this option is free or of minimal cost, with the exception of required classroom materials. A downside of this approach is that the school holds classes when it’s most convenient for the school, not for your organization, so you may end up losing staff members when they go for training.

You may not find a perfect third-party option, but you can usually find one that fits well enough. The goals in this case are to find the level of training needed (or get as close as possible to it) for the price you can afford. The following sections provide additional information about how third-party trainers can help your staff members get the kind of training they require.

Note

Some levels of training offer a certificate that an in-house trainer can’t provide. The certificate may be meaningless for your business or it might be something you can show to potential customers to demonstrate that your staff has received the required security training. Having the certificate makes you more attractive to some customers and can improve business—making it possible to earn back some of the additional money spent on training needs.

Specifying the Training Requirements

When working with a third party, you still need to perform the tasks described in “Defining Needed Training” and “Setting Reasonable Goals”. However, you must now perform these tasks for someone who doesn’t know anything about your company’s culture or needs. In order to obtain the training requirements you need, you must provide a blueprint for the person or organization providing the training service. Any staff members involved with looking for, querying, and interacting with a third-party trainer must understand the training requirements fully and communicate them clearly to the provider. Otherwise, the training your staff receives won’t do the job and you’ll continue to have security issues that you could avoid with the proper training in place. The following list describes some of the things you should consider during any conversation with a third-party trainer:

  • Discuss training times to ensure they work for your organization

  • Specify the venue for the training

  • Ensure the trainer actually offers the services needed

  • Verify that the trainer has the proper credentials

  • Create a list of needs the trainer has in order to obtain a desirable result

  • Obtain a list of any required special equipment

Warning

The value provided by third-party trainers and training organizations varies greatly. Make sure you get any promised services in writing and that the training service you obtain has a proven record of accomplishment. If possible, take time to talk with previous clients to discover any potential problems. Of course, the people that the trainer will recommend will have mostly positive things to say because they likely had a positive experience. Even so, you can usually obtain enough information to make a good decision by being careful in how to talk with past clients. As with any other business dealing, it’s important to remain cautious when hiring a third party to perform training tasks in your organization.

Hiring a Third-Party Trainer for Your Organization

When hiring a third-party trainer to teach on site, you need to set up several meetings to ensure the trainer understands what you want and to verify you have everything the trainer needs to do a good job. The first day a trainer arrives on site to teach shouldn’t be a tragic waste of time for everyone. Doing your homework will reduce first day issues so that everyone begins on the right foot. Here are some things to consider discussing with the third-party trainer:

  • Discuss specific security issues that your organization has and provide demonstrations of how these issues take place within the organization. It’s essential that the trainer know precisely which security areas to address and emphasize during the training sessions.

  • Ensure the trainer understands the history behind any security-related issues and knows what you’ve done in the past to alleviate them. This step ensures the trainer doesn’t waste time trying things that you’ve already tried and ruled out.

  • Address any potential restrictions on training with the trainer to ensure the staff members don’t feel uncomfortable receiving instructions that are contrary to company policy.

  • Verify that the physical location you select for training will meet the trainer’s needs. In addition, check on issues such as the kind of equipment the trainer needs and what equipment the trainer will provide.

As with any other visitor to your organization, you need to ensure the trainer feels welcome, but doesn’t have free access to sensitive areas or sensitive information. A trainer isn’t somehow above the security requirements for your organization. In fact, the trainer could be in the business specifically to carry out social engineering attacks. Always treat your third-party trainer with respect, but also ensure the trainer receives the proper level of monitoring so that you keep your organization safe.

Using Online Schools

Online schools offer little in the way of customization and the curriculum you see is the curriculum you get. Ensure that the online school provides good access to the instructor through some asynchronous means (such as email). You want to be certain that your staff members can contact the instructor when it’s convenient for them. It’s also important to realize that communication in an online school setup has limits, so you may need a knowledgeable staff member standing by to help.

As previously mentioned, the advantage of using an online school is that everyone can proceed with training at a comfortable pace. However, human nature being what it is, many people will procrastinate and then try to cram for exams at the last minute. This form of training requires additional support by management and monitoring by a knowledgeable staff member. You should see a definite progression of knowledge by staff members as the training proceeds. Otherwise, you need to ask whether the staff member is fully participating with the program.

Warning

It’s important to realize that not everyone can learn online. People have all sorts of ways to learn. In fact, some people don’t learn well in the classroom environment at all—they need some sort of hands-on training or they may need to see someone else perform a task. You may find that some staff members simply can’t use this option and will need to rely on an in-house trainer or some other method of obtaining the required training. The problem isn’t one of the staff member not trying, but simply a matter of ability to learn using a specific approach.

Relying on Training Centers

Training centers can offer the best of breed training as long as you have willing staff members. The main thing to remember in this case is that the training the staff members receive is not only expensive, but it’s also generic. Training centers make their money by providing intensive training using scripted techniques. The training really is good, but the staff members have to be willing to participate in the process fully and then study during their off time (after class).

In order to make this option work, you essentially need to give up on getting anything from the staff member during the training time. Disruptions will only distract the staff member and reduce the effectiveness of the training (and at the prices these places charge, disruptions really are quite expensive). Because the training time and venue aren’t negotiable, you may need to compensate the staff member in various ways to ensure training goes as anticipated.

When the staff member returns from training, make sure you test the new knowledge gained fully. In addition, it’s often helpful for the staff member to provide a presentation on new skills learned. Using this approach helps to reinforce the knowledge that the staff member has gained and to inform other staff members about new techniques. The presentation falls into the cross-training category described in “Monitoring the Results”. You can use other techniques from that section to ensure that you got your money’s worth from the training center.

Using Local Colleges and Universities

Not every organization has the time, resources, or funds to use any of the other training techniques described in this section. Your staff members still require training. Even if you don’t have someone capable of performing in-house training and can’t afford any of the other options listed in this chapter, there is still a good chance that you can afford the services of a local college or university. Depending on how your locality handles schooling in this venue, you may need to pay some amount of tuition for the staff member, but you’ll likely find it a lot less expensive than other options.

Colleges and universities don’t teach anything quickly. The staff member will proceed at the same pace as everyone does, so this option won’t provide the sort of training needed in the short term. A staff member using this option may end up going for the entire semester or the school year to obtain the required information. Consequently, you need to perform advance planning to use this option.

The training is usually a bit more flexible than going to a training center. For example, the staff member may find that classes occur several times during the day and at night as well. Even so, you’ll often find that the schedule isn’t nearly as flexible as other training options mentioned in this chapter—the school will definitely meet its own needs before it meets yours.

As when using a training center, make sure the staff member demonstrates knowledge gained and provides presentations to cross-train other staff members. However, because the timeframe for training is so long, you can usually perform these tasks in segments. In addition, the longer training time means that the staff member won’t be quite so rushed in gaining the new skills and there is a good chance that the staff member will retain more because there is more time to absorb material between training sessions.

Ensuring Users Are Security Aware

Everyone requires some level of training to ensure you have good security at your organization. However, users often require specialized training because they don’t possess the knowledge that your development staff obtained during certification or while in school earning a degree. In addition, users lack the experience that the development team and other staff members have obtained through years of working through security issues. Therefore, you need to make some additional plans when it comes to user training in order to create a secure environment. The following sections provide some ideas on how you can make your users more security aware.

Making Security Training Specific

A problem with much of the security training in use today is that it isn’t specific. You must make security training specific to the organization—reflecting organizational policies. Otherwise, you can’t expect staff members to follow these policies when performing daily tasks and the result is often a security breach that the organization could avoid by following the policies.

Training also needs to consider any legal or other requirements. Not every business has the same security requirements placed on it. In order for staff members to know how to perform tasks securely in your specific organization, you need to make them aware of all the legal and other requirements that affect your organization. It’s important that staff members not only understand the legal or other requirement, but also understand how your organization meets that requirement.

It’s also important to focus on particular problem areas for your organization. Use actual examples of security issues (names, dates, and other particulars removed to protect the innocent). By focusing on your organization’s specific needs, you make the training more pertinent and help ensure that staff members see the practical benefit of following any requirements defined by the training. More importantly, help the staff members understand the cost of the security breach to them personally as part of the training. It’s essential that staff members understand the stake they have in following organizational guidelines when it comes to security.

Combining Training with Written Guides

No one will remember every word said during a training session. Testing of various sorts does help extend memory, but they also have limits. In addition to training, your staff members need written guides that reinforce the training. In fact, you should use these written guides as part of any in-house training that you perform. Make sure that your written guides always reflect the actual training that people receive. As you update the training, update the guide as well.

Note

Whenever you perform an update, make sure that everyone receives a copy of the updated guide. In addition, don’t let long-term staff members fall through the cracks. Any update in training should include updated training for existing staff members as well. Someone who is with an organization for a long time can get out of step with current security protocols and inadvertently cause a security breach through a lack of information.

Don’t focus on making your written guide ostentatious or flowery. What you want is a practical, simple guide to company policies. The staff members don’t have time or patience to deal with a guide filled with legalese or jargon. A guide that spells things out simply and concisely works far better. Remember that most people nowadays have an attention span of well under a minute, so if staff members can’t find any given answer in the guide you create in less than a minute, they won’t use it.

Make the written guide as short as possible. The less you bloat the language used to convey important security issues, the more people will pay attention to it. Keep things short and easy to remember. In addition, make sure you produce the guide in both printed and electronic form. Doing so allows a staff member to place the guide on an alternative device, such as a smartphone, to keep it available at all times.

Creating and Using Alternative Security Reminders

Users get fixated on using an application and won’t think about security at times unless you provide an appropriate reminder. For example, an organization could create posters with security reminders and place them in public locations. The technique seems like something out of yesterday’s bad movie, but it actually does work. Keeping the need for security in front of the user, even during breaks, is one way to maintain the perception that security is important.

The application should also include security reminders. You don’t want to make them annoying. The reminder that says “Are you sure you want to do this?” and then displays another “Really?” reminder is just plain annoying and users will ignore it. One effective way to spell out security reminders is to provide a tip of the day as part of starting the application. Not every tip has to have a security focus. Sometimes you can add a fun tip into the mix. The point is to keep users guessing as to the content of the tip so that they’ll continue to look at it.

Note

One organization had a creative security administrator who sometimes ran contests, such as, “The first person who can locate the correct security principle to apply to giving people your password receives a free pizza at lunch.” The contests didn’t occur often and cost management almost nothing, yet they kept the staff alert to the security tips and greatly improved organizational security. Creativity in getting people to continue learning more about security is an essential part of gaining their cooperation to keep the application and its data safe.

IT staff should also receive human relations training. One of the biggest problems in gaining the attention and cooperation of staff members is that IT tends to make everyone feel like an idiot. If you tell someone often enough that they’re an idiot, they may tend to believe you and start acting the part. Positive reinforcement and a good attitude toward helping other staff members really will garner better results than constantly telling them that they can’t possibly understand security issues.

Holding Training Effectiveness Checks

You may find that the various techniques you try to get the staff members enthusiastic about security just aren’t working as well as you planned. Of course, the problem is figuring out how to change things so that security does improve. The first thing you need to think about is that security will never be bulletproof—all you can do is to continue to improve it as much as possible and deal with each new threat as it arrives. However, you can get close to perfect. Part of achieving that close to perfect mark is to check on the effectiveness of the various methods you use. Obtain statistics on what is and isn’t working using the various techniques described throughout the book (especially those found in “Providing for User Feedback” in Chapter 15). What you want to ascertain is the sources of potential security failures.

These potential security failure points tell you more about how well your training is working. You can also test staff members randomly using the techniques found earlier in the chapter. The point isn’t to locate staff members who are falling down on the job, but to locate places where current training strategies aren’t getting the results you had intended. As you find these problem areas, you need to consider how best to convey the required information, provide motivation for following the rule, and ensure penalties for purposely failing to follow procedure are implemented. However, the focus is always on getting better training to ensure people truly understand what is required.