Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Security training of developers and company liability

from [Daniel] Network Security [Permanent Link]
Subject: Re: Security training of developers and company liability
Date: Thu, 8 Dec 2005 12:42:11 +0000 
Well lets step back and apply this approach to other industries:

Chef's: What happens if they use their pairing skills to attack old people?
Mechanics; What happens if they use their wrenching skills to rob banks?


I'm with Stephen on this, ask them to sign a disclosure and that will
keep you, and your company, covered.

On 12/8/05, Lyal Collins <lyal.collins@key2it.com.au> wrote:

Obligatory IANAL disclaimer.
Is this like asking if a driving instuctor is liable because a former
student commits manslaughter or murder with a
vehicle?

I think the key issues are ethics, and intent.
With skills that are more potentially dangerous, ethics and responsbility
needs to be part of the skills and knoweldge shared during training.
As long as the company's intent is not to attack other sites, and has clear
policies against such activities 'on company time' then there should be
little issue. What an individual does outside of the workplace comes down to
intent and responsibility.

TO be real safe, ask your legal team your question, along with thoughts like
the above as background.

Your jurisidiction may be different, of course.

Lyal


-----Original Message-----
From: James Strassburg [mailto:JStrassburg@directs.com]
Sent: Thursday, 8 December 2005 3:51 AM
To: webappsec@securityfocus.com
Subject: Security training of developers and company liability


I am currently training all of my organization's software developers on web
application security.  I'm using WebScarab and WebGoat as my primary
teaching tools as I feel that seeing how the problems are exploited is much
more effective than trying to cover every type of coding mistake that can
lead to the problems.  My question is about company liability. What if one
of the developers used the information learned to attack another site?  Is
my company liable for their actions as we taught them how to do it?  Should
I have our legal department create a disclaimer or waiver for them to sign?

I will be asking the same questions directly to our legal department but
thought a discussion here could provide some more insight and be valuable
for others.  thanks.


James A. Strassburg Jr.
Software Security Architect
Direct Supply, Inc.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Security training of developers and company liability, James Strassburg
Next by Date:  RE: Security training of developers and company liability, Jeff Robertson
Previous by Thread:  RE: Security training of developers and company liability, Clement Dupuis
Next by Thread:  RE: Security training of developers and company liability, Griffiths, Ian
Indexes:  [Date] [Thread] [Top] [All Lists]