http://ask.metafilter.com/113776/Security-training-for-embedded-developers/ Comments on Ask MetaFilter post Security training for embedded developers? Mon, 09 Feb 2009 11:34:35 -0800 Mon, 09 Feb 2009 11:34:35 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://ask.metafilter.com/113776/Security-training-for-embedded-developers What's a good security course for embedded developers? <br /><br /> The folks at the top say we need "security training". The server guys are taking a course in SQL injection, ASP.NET stuff, etc. I'd rather get my embedded guys something more, well, embedded-specific. I'm thinking a refresher on basics of cryptography, network security, specific protocols, etc. and maybe some "code practices greatest hits". A short two-day course is the target. Does anyone have a recommendation for either online/onsite training that might fit the bill? post:ask.metafilter.com,2009:site.113776 Mon, 09 Feb 2009 11:04:35 -0800 RobotVoodooPower embedded security training resolved http://ask.metafilter.com/113776/Security-training-for-embedded-developers#1634166 Read <em><a href="http://www.amazon.com/exec/obidos/ASIN/0470068523/metafilter-20/ref=nosim/">Security Engineering: A Guide to Building Dependable Distributed Systems</a></em>, 2nd Edition. comment:ask.metafilter.com,2009:site.113776-1634166 Mon, 09 Feb 2009 11:34:35 -0800 pdxpatzer http://ask.metafilter.com/113776/Security-training-for-embedded-developers#1634171 What platforms do they develop for? Frequently with embedded software on phones or PDAs, for example, the manufacturer will offer platform-specific security training. comment:ask.metafilter.com,2009:site.113776-1634171 Mon, 09 Feb 2009 11:36:21 -0800 doteatop http://ask.metafilter.com/113776/Security-training-for-embedded-developers#1634191 doteatop, we develop against Windows CE and Linux. I'd like to remain platform-agnostic if possible, because my main goal is not to teach specific API behaviors but to satisfy the PHBs at my company while at the same time getting the developers excited about learning something new. comment:ask.metafilter.com,2009:site.113776-1634191 Mon, 09 Feb 2009 12:01:14 -0800 RobotVoodooPower http://ask.metafilter.com/113776/Security-training-for-embedded-developers#1634509 I can strongly recommend <a href="http://www.fortify.com/">Fortify's</a> training, and <a href="http://www.cigital.com/">Cigital</a> is highly spoken of as well.<br> <br> Your developers might also appreciate putting into place some form of automation to check for memory management bugs, etc, during the build. If you have flexibility in your spending, maybe you can check out some affordable static analysis tools or fuzzer suites, and look for training more specific to those. I personally love build automation and this would get me really excited (management never or rarely expresses interest in these kinds of solutions).<br> <br> For books, in addition to the above I can recommend:<br> <ul><li><a href="http://www.amazon.com/exec/obidos/ASIN/0321356705/metafilter-20/ref=nosim/">http://www.amazon.com/Software-Security-Building-Addison-Wesley/dp/0321356705</a></li><li><a href="http://www.amazon.com/exec/obidos/ASIN/0321356705/metafilter-20/ref=nosim/">http://www.amazon.com/Programming-Analysis-Addison-Wesley-Software-Security/dp/0321424778M</a></li></ul> comment:ask.metafilter.com,2009:site.113776-1634509 Mon, 09 Feb 2009 14:51:20 -0800 doteatop