Re: A Question of Quality

[Deaths_Fury <Deaths_Fury () hotmail com>]

Daniël W. Crompton wrote:
> 2008/11/2 Robert Hajime Lanning <robert.lanning () gmail com>:
>   
> > On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> wrote:
> >     
> > > Why isn't Quality Assumed?
> > > Why isn't Security Assumed?
> > > Why are these concepts thought of as add ons to Applications and Services?
> > >
> > > Why do they need to be specified, when they should be taken for granted?
> > >       
>
>   
> > I believe one of the issues is, pride of ownership in the end product.
> >
> > A lot of the coding is now outsourced to cheap code houses.  These people
> > do not have ownership or attribution.  They have no reason to take any extra
> > steps, that are not specified in the contract.  If it is not in the
> > contract, they
> > are not being paid for it.
> >     
>
> I have to disagree with you there, even if you examine code that comes
> from internally where they have pride of ownership there are many
> security considerations which are only later applied to the product.
> Many times it's the case that security aspects are tacked on later,
> rather than being considered from the outset.
>
> D.
>
> blaze your trail
>
> --
> redhat
>
> http://feeds.feedburner.com/GeneralMusing
>   
Though both Daniel and Robert have great points, I would have to agree 
with Daniel and Yousef. The problem is not so much in outsourcing to 
cheap code houses, it is more about the security needs being "tacked on 
later" (to quote Daniel) and managers pushing time and budget over 
quality security focus. I work a lot with the open-source community and 
though we do not generally have the problem with the managers, we do 
have an issue with security being left until last and with developers 
who are undereducated in security who bring updates that are just 
accidents waiting to happen.

I think, however, that the largest problem is simply with developers who 
do not have the drive to make a secured application. I remember when I 
was starting out, I couldn't care less about security. In the years 
since then I have gained a respect for myself and my work and due to 
that, I have become more aware of how the security of the application 
reflects on my work personally. I have found that a lot of developers do 
not gain that sense of respect and worth for their work, which makes it 
harder for those of us who are concerned about it. Rather than push 
managements as a group for higher security standards as Yousef 
suggested, we first need to convince our fellow developers that security 
is something we should hold ourselves to. The management will not change 
because one of a team pushes, however if that one voice turns into 5 or 
10 or more (depending on team sizes of course), the management has a 
larger chance of listening.

I personally do not have much experience with negotiating contracts with 
clients, however one of the suggestions for management that I can think 
of would be to inform the client of the necessity of security in an 
application and then negotiate a larger dollar amount. Inform the client 
fully about why the number is larger than what others could offer, and 
then be sure to explain the risks in not including the security that you 
offer for a larger sum. Perhaps that is just a naive idea from someone 
who is inexperienced with contract negotiation or the entire contract 
process, but I figured I would get it out there. Even if that itself 
would not work, there may be some other idea stemming from that. Food 
for thought, if you will.