I was thinking the other day where does an average software developer or a quality assurance engineer draw their fundamental software knowledge from. The fundamentals and basics are mostly engraved in university and maybe the first couple of years of professional experience, education and learning journey does continue to go on but maybe at a slower pace. But where would a software engineer professional (whether they are a developer, quality assurance…etc) go for more self-education?
Older software developers generations grew on Donald Knuth’s books, younger generations grew on books like Code Complete and Programming Pearls, generation Y grew on blogs like JoelOnSoftware and Coding Horror. As one of the fundamental problems always debated is that software security is not taught at universities and hence the huge amount of software vulnerabilities nowadays.
How does one learn about software security then?
- Get your hand dirty: This is by the far the best way to learn anything. Get involved in open-source security projects. That was one venue that benefited me the most starting out my own security career. OWASP in specific has an extremely awesome program called Season of Code, where you get to work on security projects and still get paid….awesome! Another guaranteed way to teach yourself web security is playing with WebGoat which is a web application intentionally vulnerable to numerous attacks, it consists of lessons and each lesson targets a specific vulnerability. Taking it up a notch would be to contribute a lesson yourself.
- Fortunately, the good old way of reading still holds: But be aware that the complexity and diversity of attacks nowadays are growing exponentially. We are living in a digital age, today’s attacks are orders of magnitude more complex than yesterday’s attacks. So books provide good basics, somewhere to start and general information regarding software security but you can’t really depend on them for everything. OWASP provides excellent material for education that is updated regularily, you should expect to find guides on web application security development in Java, ASP.NET, RoR…etc. Security code review guide and a bunch of other tools that you can use a long the way.
- Local Security Communities: Your local software security community is one of the best ways to learn about security. They usually provide some of the edgy up-to-date information about security but also you would expect to get some information that will really benefit you as a beginner in the field. Some of the communities you might want to check out are: OWASP, SANS, Security Klatch and ISSA. OWASP in particular focuses more on web application security, more often than not you will find an active chapter near where you are, check out the next event here
- Online Security Community: hmmm, isn’t it the same as the local? Short answer is NO. The local community you get to talk to people, exchange information, more localized view of the challenges that face the local community you belong to. However the online version of the community is more broad and general view of the security industry. For example, I live in Ottawa, Canada. And for those who don’t know, it is a government town, a lot of discussion and interests are driven by the local market which is The Government. We once had a guest in the local OWASP Chapter from Taiwan, their challenges as security professionals are somehow different than Ottawa, Canada.
- Blogs: Blogs are my favorite source of security news and information. But you got to find your perfect source. Here are some of my favorites:
- The news section by OWASP, always updated by the latest and greatest, check it out here.
- SANS just released a list for the top 10 cyber security Journalists you might want to follow, looks very interesting.
- Street Fighter which is an application security blog updated by SANS top instructors.
What is your favorite source for teaching yourself software security?