Secure Coding mailing list archives
Perspectives on Code Scanning
From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson)
Date: Thu, 07 Jun 2007 12:59:12 +0000
McGovern, James F \(HTSC, IT\) [mailto:James.McGovern at thehartford.com] writes:
the value of tools in this space are not really targeted at developers but should be targeted at executives who care about overall quality and security folks who care about risk. While developers are the ones to remediate, the accountability for secure coding resides elsewhere.
Sort of. There are multiple levels of accountability. As has been said here many times: the developers should be held accountable for producing secure software, but the management must give them the time and tools to do so, and management usually places far higher priority on things like ease of use and especially on time to market.
It would seem to be that tools that developers plug into their IDE should be free since the value proposition should reside elsewhere. Many of these tools provide "audit" functionality and allow enterprises to gain a view into their portfolio that they previously had zero clue about and this is where the value should reside.
Heh. Yeah, I'd like to see some executive dashboard saying things like whose code currently generates the most warnings, especially if those warnings are from security analysis tools. B-) Of course, most executives won't bother looking at something that "techy", let alone understand the significance. B-(
If there is even an iota of agreement, wouldn't it be in the best interest of folks here to get vendors to ignore developer specific licensing and instead focus on enterprise concerns?
Unfortunately, that often means that ANY license at all for it will be horrendously expensive, so that small shops are totally cut out. -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/
Current thread:
- Perspectives on Code Scanning SC-L Subscriber Dave Aronson (Jun 07)
- <Possible follow-ups>
- Perspectives on Code Scanning Carl Alphonce (Jun 10)