RE: Security training of developers and company liability

["James Strassburg" <JStrassburg () directs com>]

For anyone still interested: I posed this question to our corporate
legal team.  Their response stated that since we have a corporate
information systems use policy that includes not using the Internet for
inappropriate reasons (there is much more language in the policy of
course), we would have a good argument that we were not negligent by
training developers in this respect.  Therefore, he didn't feel a CYA
signed waiver or disclaimer was necessary.  They did suggest reaffirming
the relevant parts of the information systems use policy verbally at the
start of the class however.

Note that we are in Wisconsin, USA.  Laws in your respective country,
state/province, city/town/district, whatever, may be and probably are
different.

James Strassburg

-----Original Message-----
From: James Strassburg [mailto:JStrassburg () directs com] 
Sent: Wednesday, December 07, 2005 10:51 AM
To: webappsec () securityfocus com
Subject: Security training of developers and company liability

I am currently training all of my organization's software developers on
web application security.  I'm using WebScarab and WebGoat as my primary
teaching tools as I feel that seeing how the problems are exploited is
much more effective than trying to cover every type of coding mistake
that can lead to the problems.  My question is about company liability.
What if one of the developers used the information learned to attack
another site?  Is my company liable for their actions as we taught them
how to do it?  Should I have our legal department create a disclaimer or
waiver for them to sign?
 
I will be asking the same questions directly to our legal department but
thought a discussion here could provide some more insight and be
valuable for others.  thanks.
 
 
James A. Strassburg Jr. 
Software Security Architect     
Direct Supply, Inc.