RE: Security training of developers and company liability

I do believe this practice has been dropped by ISS due to the fact that the
waiver was not even enforceable in most case.

It is usually something training center do as a CYA practice.

It would be like taking a driving course and suing the training company
because a drunk driver who took their training hit you on the road.

As mentioned, your legal counsel is probably your best bet

Take care

Clement


Clément Dupuis, CD
President/Security Evangelist/Chief Learning Officer (CLO)
CCCure Enterprise Security & Training Inc.
CISSP, GCFW, GCIA, Security+, CEH, CCSA, MBNS, MBIS, MBHS, CCSE, ACE
Tel: 954 364 8410 (Florida)
Tel: 514 907 1671 (Montreal)
Tel: 418 907 0263 (Quebec)
Fax: 1-514-221-3367 (Preferred Number) or 1-636-773-6328

Maintainer of :

The CISSP and SSCP Open Study Guides Web Site
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org


-----Original Message-----
From: Stephen de Vries [mailto:stephen@corsaire.com] 
Sent: Thursday, December 08, 2005 3:55 AM
To: James Strassburg
Cc: webappsec@securityfocus.com
Subject: Re: Security training of developers and company liability


I used to be a trainer on the ISS Ethical Hacking course in the UK  
and it was standard practice to have the delegates sign a waiver that  
they would only use their new powers in defense of the empire.

Not sure whether this was strictly necessary in the UK, it could have  
been a knee jerk reaction from the US legal department.
It rarely hurts to play it safe.

cheers,
Stephen

On 7 Dec 2005, at 23:51, James Strassburg wrote:

> I am currently training all of my organization's software  
> developers on
> web application security.  I'm using WebScarab and WebGoat as my  
> primary
> teaching tools as I feel that seeing how the problems are exploited is
> much more effective than trying to cover every type of coding mistake
> that can lead to the problems.  My question is about company  
> liability.
> What if one of the developers used the information learned to attack
> another site?  Is my company liable for their actions as we taught  
> them
> how to do it?  Should I have our legal department create a  
> disclaimer or
> waiver for them to sign?
>
> I will be asking the same questions directly to our legal  
> department but
> thought a discussion here could provide some more insight and be
> valuable for others.  thanks.
>
>
> James A. Strassburg Jr.       
> Software Security Architect   
> Direct Supply, Inc.





---
avast! Antivirus: Inbound message clean.
Virus Database (VPS): 0549-3, 12/07/2005
Tested on: 12/8/2005 8:10:27 AM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com





---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0549-3, 12/07/2005
Tested on: 12/8/2005 8:21:16 AM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com