Secure Coding mailing list archives
quick question - SXSW
From: gunnar at arctecgroup.net (Gunnar Peterson)
Date: Wed, 12 Mar 2008 20:49:23 -0500
I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web 2.0 security. The presentations were great, the audience was engaged and enthusiastic but small; it turns that it is hard to compete with the likes of Martin Fowler, Joshua Bloch, and Richard Gabriel. Even when what they are talking about is some nth level refinement and what we are talking about is all the gaping holes in the previous a-m refinements and how to close some of them. http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73 -gp Kenneth Van Wyk wrote:
Ben, Your point is a good one -- the software security community needs to be vigilant in reaching out to developers and spreading "the word". FWIW, some dev conferences have done this. I spoke at SD West in 2006, and there was a significant security track there. Still, it'd be great to see that sort of thing at more dev-specific conferences. Cheers, Ken van Wyk SC-L Moderator On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:First, thanks for that Bill, it exemplifies my point perfectly. A couple thoughts... one, targeting designers is just as important as reaching out to the developers themselves... if the designers can ensure that security requirements are incorporated from the outset, then we receive an added benefit... two, a re-phrasing around my original thought... somehow we need to get security thinking and considerations encoded into the DNA of everyone in the business, whether they be designers, architects, coders, analysts, PMs, sysadmins, etc, etc, etc. Every one of those topics you mention could (should!) have had implicit and explicit security attributes included... yet we're still at the point where secure coding has to be explicitly requested/demanded (often as an afterthought or bolt-on)... How do we as infosec professionals get people to the next phase of including security thoughts in everything they do... with the end-goal being that it is then integrated fully into practices and processes as a bona fide genetic mutation that is passed along to future generations? To me, this seems to be where infosec is stuck as an industry. There seems to be a need for a catalyst to spur the mutation so that it can have a life of its own. :) fwiw. -ben -- Benjamin Tomhave, MS, CISSP falcon at secureconsulting.net LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] Augustine's Second Law of Socioscience: "For every scientific (or engineering) action, there is an equal and opposite social reaction." http://globalnerdy.com/2007/07/18/laws-of-software-development/ William L. Anderson wrote:Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not see many discussions that pay attention to security, or any other software engineering oriented concerns, explicitly. There was a discussion of scalability for web services that featured the developers from digg, Flickr, WordPress, and Media Temple. I got there about half-way through but the discussion with the audience was about tools and methods to handle high traffic loads. There was a question about build and deployment strategies and I asked about unit testing (mixed answers - some love it, some think it's strong-arm micro-mgt (go figure)). There was a session on OpenID and OAuth (open authorization) standards and implementation. These discussions kind of assume the use of secure transports but since I couldn't stay the whole time I don't know if secure coding was addressed explicitly. The main developer attendees at SXSW would call themselves designers and I would guess many of them are doing web development in PHP, Ruby, etc. I think the majority of attendees would not classify themselves as software programmers. To me it seems very much like at craft culture. That doesn't mean that a track on how to develop secure web services wouldn't be popular. In fact it might be worth proposing one for next year. If you want to talk further, please get in touch. -Bill Anderson praxis101.com Benjamin Tomhave wrote:I had just a quick query for everyone out there, with an attached thought. How many security and/or secure coding professionals are prevalently involved with the SXSW conference this week? I know, I know... it's a big party for developers - particularly the Web 2.0 clique - but I'm just curious. Here's why: I'm increasingly frustrated by the disconnect between business/dev and security. I don't feel like we're being largely successful in getting the business and developers to include security as part of their standard operating procedures. Developers are still oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection holes. I then look at SXSW from afar and think: a) shouldn't I be there evangelizing security? and, b) shouldn't a major thread to all these conferences be about how security is integrating with dev processes and practices, making it better? Maybe I'm just too idealist. I'm curious what everyone else thinks. cheers, -ben------------------------------------------------------------------------ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- quick question - SXSW Benjamin Tomhave (Mar 11)
- quick question - SXSW William L. Anderson (Mar 12)
- quick question - SXSW Benjamin Tomhave (Mar 12)
- quick question - SXSW Kenneth Van Wyk (Mar 12)
- quick question - SXSW Johan Peeters (Mar 12)
- quick question - SXSW Gunnar Peterson (Mar 12)
- quick question - SXSW John Steven (Mar 14)
- quick question - SXSW Benjamin Tomhave (Mar 12)
- quick question - SXSW Arian J. Evans (Mar 12)
- quick question - SXSW Benjamin Tomhave (Mar 12)
- quick question - SXSW Arian J. Evans (Mar 12)
- quick question - SXSW William L. Anderson (Mar 12)
- quick question - SXSW Mike Lyman (Mar 14)
- quick question - SXSW Arian J. Evans (Mar 14)
- quick question - SXSW Gary McGraw (Mar 14)
- quick question - SXSW Arian J. Evans (Mar 13)
- quick question - SXSW Andrew van der Stock (Mar 26)