Ooops, Sorry Lyal, I only read your response now.
I guess great minds think alike.
Take care
Clement
Clément Dupuis, CD
President/Security Evangelist/Chief Learning Officer (CLO)
CCCure Enterprise Security & Training Inc.
CISSP, GCFW, GCIA, Security+, CEH, CCSA, MBNS, MBIS, MBHS, CCSE, ACE
Tel: 954 364 8410 (Florida)
Tel: 514 907 1671 (Montreal)
Tel: 418 907 0263 (Quebec)
Fax: 1-514-221-3367 (Preferred Number) or 1-636-773-6328
Maintainer of :
The CISSP and SSCP Open Study Guides Web Site
http://www.cccure.org
The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org
-----Original Message-----
From: Lyal Collins [mailto:lyal.collins@key2it.com.au]
Sent: Thursday, December 08, 2005 2:37 AM
To: 'James Strassburg'; webappsec@securityfocus.com
Subject: RE: Security training of developers and company liability
Obligatory IANAL disclaimer.
Is this like asking if a driving instuctor is liable because a former
student commits manslaughter or murder with a
vehicle?
I think the key issues are ethics, and intent.
With skills that are more potentially dangerous, ethics and responsbility
needs to be part of the skills and knoweldge shared during training.
As long as the company's intent is not to attack other sites, and has clear
policies against such activities 'on company time' then there should be
little issue. What an individual does outside of the workplace comes down to
intent and responsibility.
TO be real safe, ask your legal team your question, along with thoughts like
the above as background.
Your jurisidiction may be different, of course.
Lyal
-----Original Message-----
From: James Strassburg [mailto:JStrassburg@directs.com]
Sent: Thursday, 8 December 2005 3:51 AM
To: webappsec@securityfocus.com
Subject: Security training of developers and company liability
I am currently training all of my organization's software developers on web
application security. I'm using WebScarab and WebGoat as my primary
teaching tools as I feel that seeing how the problems are exploited is much
more effective than trying to cover every type of coding mistake that can
lead to the problems. My question is about company liability. What if one
of the developers used the information learned to attack another site? Is
my company liable for their actions as we taught them how to do it? Should
I have our legal department create a disclaimer or waiver for them to sign?
I will be asking the same questions directly to our legal department but
thought a discussion here could provide some more insight and be valuable
for others. thanks.
James A. Strassburg Jr.
Software Security Architect
Direct Supply, Inc.
---
avast! Antivirus: Inbound message clean.
Virus Database (VPS): 0549-3, 12/07/2005
Tested on: 12/8/2005 8:10:28 AM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0549-3, 12/07/2005
Tested on: 12/8/2005 8:22:29 AM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com
