New training improves code quality and security

Software applications often suffer from security vulnerabilities, i.e. design flaws or programming bugs that remained undetected during the whole software development cycle. In production these vulnerabilities become security holes, providing an opportunity for exploitation and can pose immense security risks to an organization (and there is no reason to believe that CERN is immune to this).

The costs associated with eliminating these bugs is loosely described by the "1:10:100 rule". The relative costs for fixing bugs are 1:10:100 for fixing them in the programming:testing:production phases. Thus, the earlier that vulnerabilities are detected, the cheaper it is to fix them. This also prevents a bug from being exploited.

To help software developers at CERN to create secure software, to make them aware of critical areas when programming and to give them the tools to avoid introducing security holes, the Technical Training and Computer Security teams have organized five specialized hands-on security courses for software and web application developers. These courses are intended for people who spend the majority of their time programming software applications and/or websites, and already have a good understanding of the particular language in use. The courses currently available are:
• Secure coding for C++ (two days)
• Secure coding in Java (one day)
• Secure coding for Perl (four hours)
• Secure coding for Python (four hours)
• Secure coding for web applications and web services (one day).

These courses are given by trainers from the Siemens Computer Emergency Response Team in English. Details can be found at http://cta.cern.ch/cta2/f?p=110:9.