Software Security Training for All

 Fifteen years ago, a common representation of the hacker was a computer science college student hacking systems from his or her dorm room. Nowadays hackers operate on a different scale; they are more often affiliated to criminal organizations or to nation states than to colleges or universities.

The only thing today’s cyber attackers have in common with college students from 15 years ago can be summarized in 2 words: SOFTWARE VULNERABILITY. Most recent days attacks involve the exploitation of a zero day software vulnerability that has certainly been created by software engineers who used to be computer science college students several years ago. Sadly, software security is not a significant part of most software engineering curricula, leaving it to the developers to learn defensive coding techniques by themselves or to their employers to invest in expensive security engineering training.

Early on, SAFECode members acknowledged that all successful software security initiatives have been built on the foundation of a comprehensive security training program, and published in 2009 a report entitled “Security Engineering Training – A Framework for Corporate Training Programs on the Principles of Secure Software Development”. This became a useful resource to help software security leaders define a training program, but it did not do much to address the knowledge gap in software security across the software development ecosystem.

This week, SAFECode is going a step further and is releasing to the public online security engineering courses based on internal training materials used by SAFECode members. The first 6 courses of this program were donated by Adobe (thank you Brad!) and then reviewed and enhanced by experts from the other SAFECode member companies. These first courses touch on topics as diverse as Cross Site Request Forgery, access control or injection 101. Please go and check these courses at

Who is the target audience for these courses?

These courses are for software developers who do not want that the code they create become the target of a cyber attacker’s spear phishing attack. They are also for anybody who is developing a software security curriculum, in a technology company, an IT department, a college or a university and is looking for relevant content. At EMC we are integrating these courses in our existing software security curriculum.

Will SAFECode publish additional courses?

The field of software security is much broader than the 6 topics covered by these initial courses and we are already in the process of reviewing more courses.

With these courses now available, are software vulnerabilities a thing of the past?

There is no silver bullet to providing software assurance, neither a magic tool nor a set of training courses. Software assurance can only be delivered through a comprehensive process (see “Fundamental Practices for Secure Software Development”). A knowledgeable developer community is an absolute prerequisite to the successful roll-out of such process. SAFECode member companies, hope that by releasing these courses we will contribute to improving the collective knowledge of security engineering among the developer community and create a more fertile ground for the broader adoption of secure software development practices, which has been the charter of SAFECode since its inception.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize