Perspectives on Code Scanning

[secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson)]

McGovern, James F \(HTSC, IT\) [mailto:James.McGovern at thehartford.com] writes:

> the value of tools in this space are not really targeted at developers
> but should be targeted at executives who care about overall quality and
> security folks who care about risk. While developers are the ones to
> remediate, the accountability for secure coding resides elsewhere.

Sort of.  There are multiple levels of accountability.  As has been said here many times: the developers should be held 
accountable for producing secure software, but the management must give them the time and tools to do so, and 
management usually places far higher priority on things like ease of use and especially on time to market.

> It would seem to be that tools that developers plug into their IDE should
> be free since the value proposition should reside elsewhere. Many of these
> tools provide "audit" functionality and allow enterprises to gain a view
> into their portfolio that they previously had zero clue about and this is
> where the value should reside.

Heh.  Yeah, I'd like to see some executive dashboard saying things like whose code currently generates the most 
warnings, especially if those warnings are from security analysis tools.  B-)  Of course, most executives won't bother 
looking at something that "techy", let alone understand the significance.  B-(

> If there is even an iota of agreement, wouldn't it be in the best interest
> of folks here to get vendors to ignore developer specific licensing and
> instead focus on enterprise concerns?

Unfortunately, that often means that ANY license at all for it will be horrendously expensive, so that small shops are 
totally cut out.

-Dave

-- 
Dave Aronson
"Specialization is for insects."  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/