Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Perspectives on Code Scanning

From: alphonce at buffalo.edu (Carl Alphonce)
Date: Sun, 10 Jun 2007 11:31:13 -0400

[Apologies for this reply being a bit behind the discussion - I originally submitted it from a different
e-mail account than the one I subscribed with, and so it sailed off to /dev/null.]

On Wed Jun  6 18:59 , "Michael Silk" michaelslists at gmail.com> sent:

On 6/7/07, McGovern, James F (HTSC, IT) James.McGovern at thehartford.com> wrote:

I really hope that this email doesn't generate a ton of offline emails and hope that folks will
talk publicly. It has been my latest thinking that the value of tools in this space are not really
targeted at developers but should be targeted at executives who care about overall quality
and security folks who care about risk. While developers are the ones to remediate, the
accountability for secure coding resides elsewhere.


and that's the problem. the accountability for insecure coding should
reside with the developers. it's their fault [mostly].


I started to look through the ACM Code Of Ethics (COE) to see what it says about this.  ACM has
a general COE:

    http://www.acm.org/constitution/code.html

and one for Software Engineering and Professional Practice:

    http://www.acm.org/serving/se/code.htm

I glanced through them fairly quickly, but neither appears to specifically address secure coding. 
Reading through both it seems to me that the spirit of both of these COE documents is that everyone
involved in the production of software (including developers and managers) has an obligation to
ensure the quality/reliability/safety of the software.  (It would be interesting to look at other professional
organizations' COEs too.)

This makes sense to me.  If only developers are held responsible, then it is too easy for management to make
the work environment difficult for developers who sweat code security, and then wash their hands of it.
Similarly, if only the managers are responsible, the developers can take shortcuts to meet deadlines and
avoid responsibility if the software breaks.  If everybody has a stake in the security of the software, maybe
it will happen.
Previous By Date Next
Previous By Thread Next

Current thread: