Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What topics do you think are valuable in secure coding training?
7 points by artful-hacker 2 days ago | hide | past | favorite | 2 comments
I've been tasked with revamping our onboarding training for secure software development. We have to cater to all skill-sets, from someone just starting out to a senior engineer. Its a one hour session that all new developers at our company have to take, and its currently quite dull. For example, it spends about 15-20 minutes on user password storage/hashing, which is something our developers should never need to do themselves.

What security topics do you think would be valuable for new developers to get exposure to during on boarding?

Coding and auditing/reviewing demand inverted perspectives on the code (aiming for functionality vs. disfunctionality), and you should seek to synchronize these two mindsets such that you always think a few steps ahead with each statement you write. Cultivating an awareness of the counter-intuitive repercussions of every block of code is a more durable objective than remembering cold facts like password hashing. I personally work a lot with fuzzers and the cycle of coding-fuzzing-bugfixing is a great way to attain this awareness. Letting your new developers fuzz or manually break a prepared piece of code is a good way to let them get a taste for it. It's interactive, engaging, surprising and optionally competitive so retention of whatever they take away from it should be better than listening to a presentation.

do threat modeling!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact