Ask HN: What topics do you think are valuable in secure coding training?

7 pointsartful-hacker5y ago2 comments

I've been tasked with revamping our onboarding training for secure software development. We have to cater to all skill-sets, from someone just starting out to a senior engineer. Its a one hour session that all new developers at our company have to take, and its currently quite dull. For example, it spends about 15-20 minutes on user password storage/hashing, which is something our developers should never need to do themselves.

What security topics do you think would be valuable for new developers to get exposure to during on boarding?

2 comments

2 comments · 2 top-level

guidovranken5y ago

Coding and auditing/reviewing demand inverted perspectives on the code (aiming for functionality vs. disfunctionality), and you should seek to synchronize these two mindsets such that you always think a few steps ahead with each statement you write. Cultivating an awareness of the counter-intuitive repercussions of every block of code is a more durable objective than remembering cold facts like password hashing. I personally work a lot with fuzzers and the cycle of coding-fuzzing-bugfixing is a great way to attain this awareness. Letting your new developers fuzz or manually break a prepared piece of code is a good way to let them get a taste for it. It's interactive, engaging, surprising and optionally competitive so retention of whatever they take away from it should be better than listening to a presentation.

probinso5y ago

do threat modeling!

j / k navigate · click thread line to collapse