A new campaign tracked as "Dev Popper" is targeting software developers with fake job interviews in an attempt to trick them into installing a Python remote access trojan (RAT).
In my experience, your average software developer has absolutely terrible security hygiene. It’s why you see countless instances of private keys copy/pasted into public GitHub repos or the seemingly daily occurrences of massive data breaches.
My undergrad in CS (which I should point out, is still by far the most common major for software engineers) did not require a security course, and I’m fairly confident that this is pretty typical. To be honest, I wouldn’t have trusted any of my CS professors to know the first thing about security. It’s a completely different field and something that generally requires a lot of practical experience. The closest we ever got was an explanation of asymmetric vs. symmetric encryption. There was certainly no discussion of even basic things like how to properly manage secrets or authn best practices.
Everything I know now as a senior software engineer about software security has come from experience on the job. I’ve been very fortunate to work at some places that take it very seriously (including a government contractor writing cybersecurity software for the Department of Defense) and learned a lot there. But a lot of shops don’t have a culture that promotes good security hygiene, and it shows in the litany of insecure software out in the wild today.
Thanks for the response. Seems like I can’t assume other CS degrees are comparable.
We definitely have a strong focus on security in my degree, but I still believe that awareness of what you’re running on your machine and potential dangers of those programs fall into the category of common sense. Mishandling secrets, having bad authentication or not knowing how to setup SSL is definitely experience stuff though.
In my experience, your average software developer has absolutely terrible security hygiene. It’s why you see countless instances of private keys copy/pasted into public GitHub repos or the seemingly daily occurrences of massive data breaches.
My undergrad in CS (which I should point out, is still by far the most common major for software engineers) did not require a security course, and I’m fairly confident that this is pretty typical. To be honest, I wouldn’t have trusted any of my CS professors to know the first thing about security. It’s a completely different field and something that generally requires a lot of practical experience. The closest we ever got was an explanation of asymmetric vs. symmetric encryption. There was certainly no discussion of even basic things like how to properly manage secrets or authn best practices.
Everything I know now as a senior software engineer about software security has come from experience on the job. I’ve been very fortunate to work at some places that take it very seriously (including a government contractor writing cybersecurity software for the Department of Defense) and learned a lot there. But a lot of shops don’t have a culture that promotes good security hygiene, and it shows in the litany of insecure software out in the wild today.
Thanks for the response. Seems like I can’t assume other CS degrees are comparable.
We definitely have a strong focus on security in my degree, but I still believe that awareness of what you’re running on your machine and potential dangers of those programs fall into the category of common sense. Mishandling secrets, having bad authentication or not knowing how to setup SSL is definitely experience stuff though.