Secure Coding mailing list archives
RE: Is developer education a lost cause?
From: "Brad Arkin" <barkin () atstake com>
Date: Wed, 04 Feb 2004 15:25:50 +0000
Even when given reliable security information about an application, business owners still care more about features than security. However, this demand for feature availability can still lead to more secure software given the right circumstances. In some large financial corporations Info Security has managed to wedge itself (in the form of app pen tests) between the application business owner and the development group. While mandatory penetration testing prior to launch is not the most efficient way to find and resolve security bugs, it does provide the customer with the security information Jeff refers to. Despite this good and objective source of security information, the business owners don't care so much that an app doesn't meet minimum security levels. They do, however, care a great deal that the app delivery is delayed for last minute security bug fixing after a pen test. Development project managers in this situation have started turning to developer security training to reduce the schedule impact of a pen test/security fix cycle. This has the nice side effect of reducing the number of security bugs. In the past year, we've seen this trend of developers seeking out security training grow to include wholesale security training for all developers within large (1000+ developer head count) IT departments. Brad
Sound familiar? The software market is filled with bad software
because it
is very difficult to tell which applications are lemons. The only way
out
of this trap is to make it easier to tell insecure apps from secure ones.
I
hate to say it, but this kind of market failure may require some form
of
government intervention -- tort claims, tax incentives, mandatory disclosure, or something. Oh, and the Common Criteria ain't it. Okay, so maybe you're right for the wrong reason. If we want more
secure
code, we better fix the "security information" market first. We need
to
shoot for a "fair" information market where everyone has the same information. Then market forces actually work for security. Only then
does
developer education become critical. For now, only isolated pockets of software development that are
shielded
somehow from this market failure will be very interested in security training. They *do* exist sporadically in the Global2000 and DoD, in projects like sensitive intranet web apps/services and high profile internet web applications. They take our classes and we're helping them improve their SDLC so it produces secure code. --Jeff Jeff Williams Aspect Security http://www.aspectsecurity.com
Current thread:
- Re: Is developer education a lost cause?, (continued)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
- Re: Is developer education a lost cause? der Mouse (Jan 31)
- RE: Is developer education a lost cause? Jeremy Epstein (Feb 02)
- Re: Is developer education a lost cause? jeff . williams (Feb 02)
- RE: Is developer education a lost cause? Brad Arkin (Feb 04)