I've been tasked with revamping our onboarding training for secure software development. We have to cater to all skill-sets, from someone just starting out to a senior engineer. Its a one hour session that all new developers at our company have to take, and its currently quite dull. For example, it spends about 15-20 minutes on user password storage/hashing, which is something our developers should never need to do themselves.<p>What security topics do you think would be valuable for new developers to get exposure to during on boarding?
Coding and auditing/reviewing demand inverted perspectives on the code (aiming for functionality vs. disfunctionality), and you should seek to synchronize these two mindsets such that you always think a few steps ahead with each statement you write. Cultivating an awareness of the counter-intuitive repercussions of every block of code is a more durable objective than remembering cold facts like password hashing. I personally work a lot with fuzzers and the cycle of coding-fuzzing-bugfixing is a great way to attain this awareness. Letting your new developers fuzz or manually break a prepared piece of code is a good way to let them get a taste for it. It's interactive, engaging, surprising and optionally competitive so retention of whatever they take away from it should be better than listening to a presentation.