RE: Is developer education a lost cause?

["Brad Arkin" <barkin () atstake com>]

Even when given reliable security information about an application,
business owners still care more about features than security.  However,
this demand for feature availability can still lead to more secure
software given the right circumstances.

In some large financial corporations Info Security has managed to wedge
itself (in the form of app pen tests) between the application business
owner and the development group.  While mandatory penetration testing
prior to launch is not the most efficient way to find and resolve
security bugs, it does provide the customer with the security
information Jeff refers to.

Despite this good and objective source of security information, the
business owners don't care so much that an app doesn't meet minimum
security levels.  They do, however, care a great deal that the app
delivery is delayed for last minute security bug fixing after a pen
test.  Development project managers in this situation have started
turning to developer security training to reduce the schedule impact of
a pen test/security fix cycle.  This has the nice side effect of
reducing the number of security bugs.

In the past year, we've seen this trend of developers seeking out
security training grow to include wholesale security training for all
developers within large (1000+ developer head count) IT departments.

Brad

> Sound familiar? The software market is filled with bad software
because it
> is very difficult to tell which applications are lemons. The only way
out
> of
> this trap is to make it easier to tell insecure apps from secure ones.
I
> hate to say it, but this kind of market failure may require some form
of
> government intervention -- tort claims, tax incentives, mandatory
> disclosure, or something. Oh, and the Common Criteria ain't it.
>
> Okay, so maybe you're right for the wrong reason. If we want more
secure
> code, we better fix the "security information" market first. We need
to
> shoot for a "fair" information market where everyone has the same
> information. Then market forces actually work for security. Only then
does
> developer education become critical.
>
> For now, only isolated pockets of software development that are
shielded
> somehow from this market failure will be very interested in security
> training. They *do* exist sporadically in the Global2000 and DoD, in
> projects like sensitive intranet web apps/services and high profile
> internet
> web applications. They take our classes and we're helping them improve
> their
> SDLC so it produces secure code.
>
> --Jeff
>
> Jeff Williams
> Aspect Security
> http://www.aspectsecurity.com