Secure Coding mailing list archives
Choices
From: Crispin Cowan <crispin () immunix com>
Date: Tue, 16 Nov 2004 14:26:30 +0000
Jeff Williams wrote: Not to be crass, but what most consumers care about is what the vendors tell them to. It's all about the market. Currently, the market is stuck where vendors don't disclose anything about the security of their process and product, and consumers don't ask. Our job is to change the market so that it works differently. Now you can change a market with taxation, liability (see Bruce Schneier's most recent cryptogram for yet another plea), incentives, regulation, etc... One of the least intrusive models, in my view, is to ensure that everyone has the same information, and let the market sort it out. Meanwhile, the only people who are *effectively* changing the market are the *attackers* :) Consumers spend more on security, care more about the security of products, pay more attention, etc. etc. in direct response to the level of threat that they perceive. Were it not for the attackers, we could all run highly insecure code, and not give a tinker's damn about it. Remember that we are fundamentally in the business of solving a problem. Security is the business of saying "no" to requests, and that is fundamentally inconvenient at best, and so our "solution" has to be less annoying than the problem we solve. Taxes & etc. are just ways to make life even more annoying so that people will choose the pain of secure software instead. IMHO, that is only justified when one person's lack of security causes other people gross inconvenience, such as the case of completely unfirewalled home Windows machines chronically infected with zombies. I think you're right that the information has to be appropriate for the consumer, or at least enough so that a reasonable software architect could consume it. So if that's the challenge, I'm up for it. Good luck getting consumers to choose cod liver oil over pop tarts :) Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Re: How do we improve s/w developer awareness?, (continued)
- Re: How do we improve s/w developer awareness? ljknews (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 11)
- Re: How do we improve s/w developer awareness? George Capehart (Nov 29)
- Re: How do we improve s/w developer awareness? Greenarrow 1 (Nov 29)
- Re: How do we improve s/w developer awareness? Yousef Syed (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- Re: How do we improve s/w developer awareness? Jeff Williams (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- RE: How do we improve s/w developer awareness? Aleksander P. Czarnowski (Nov 14)
- Re: How do we improve s/w developer awareness? Nick Murison (Nov 16)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
- Message not available
- Choices Crispin Cowan (Nov 16)
- Re: Choices Nick Murison (Nov 16)
- Re: Choices Nick Murison (Nov 16)
- Re: How do we improve s/w developer awareness? Dana Epp (Nov 12)
- Re: How do we improve s/w developer awareness? Brian Utterback (Dec 02)
- RE: How do we improve s/w developer awareness? Michael S Hines (Dec 02)
- Re: How do we improve s/w developer awareness? [Virus Checked] graham . coles (Dec 02)