Secure Coding mailing list archives
quick question - SXSW
From: list-spam at secureconsulting.net (Benjamin Tomhave)
Date: Wed, 12 Mar 2008 21:08:37 -0400
I think you misunderstood my points a little bit. SXSW was just a current conference example. As Gary's pointed out, there are many conferences. It's possible SXSW wasn't a good example, but it was meant more symbolically. More comments inline... Arian J. Evans wrote:
1. This is largely the wrong crowd. Designers of small web2.0 stuffs, particularly the domain of widgets and WS interfaces for all the usual suspect platforms (flickr, facebook etc.) as well as most startups: They just don't care. They will never care.
I fundamentally disagree. Everybody is the right crowd, assuming the message is tailored appropriately. It's precisely the perspective you espouse that concerns me greatly. I don't believe the security industry _as_a_whole_ has maintained momentum, and I attribute that directly to the SEP* effect. This goes directly to my larger point about ingraining security considerations/thoughtfulness/practices into all aspects of the business (not just coding, btw). *See http://en.wikipedia.org/wiki/Somebody_Else%27s_Problem_field
2. This "security DNA" notion -- I don't really buy it. I don't think there's a big tipping point coming for "all hands in for writing secure software" in our near future. Maybe if people start dying because of insecure software, this will change, but until then ...
If everyone starts coding more responsibly, then at some point the genre of "secure coding" goes away, because it's inherent in everything that's written. Today, I'd settle for all externally-facing apps being coded to address the OWASP Top 10, and to get developers to think for a change before doing silly things like implementing client-side filtering in the client code.
I do see increasing awareness is mid to large size organizations (fortune 2000 +). Developers are more aware and more interested in security, but mostly in organizations that penalize (fire or domote) individuals involved in public security blunders.
Hard-earned gains. How do we institutionalize these practices and get beyond playing the role of Law Enforcement for the security department?
Overall security is not a feature or a function that you can monetarize. It's not even cool or sexy. It's an emergent behavior that is only observed when it is making your software harder to use.
On the first sentence, I say "yes, exactly!" On the second sentence, I couldn't disagree more. Security should not be "making your software harder to use." Address XSS, CSRF, SQL injection, and input/output filtering/encoding should not diminish the end-user experience. Things like 2-factor authentication might have that result, but we're not really talking about that right now.
Not until insurance or substantial penalties are the norm (if they are ever the norm) will we have meaningful quantitative data to drive a justification for security as a requirement in startup or most open source software projects. That's my opinion, anyway.
I would really like for you to be wrong, but I can't really disagree with your base conclusion here. Hence my frustration. It provides a good case for shelving all security departments until the business starts taking major hits and they come begging for help. Honestly, I don't understand it. Businesses don't disagree that they need properly secured code/sites/etc. Yet, by the same token, they don't do what's necessary up front to secure their code/sites/etc. It's a truly bizarre disconnect that boggles my mind. Thanks for the response! :) -ben -- Benjamin Tomhave, MS, CISSP falcon at secureconsulting.net LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] "A man without a goal is like a ship without a rudder." Thomas Carlyle
Current thread:
- quick question - SXSW Benjamin Tomhave (Mar 11)
- quick question - SXSW William L. Anderson (Mar 12)
- quick question - SXSW Benjamin Tomhave (Mar 12)
- quick question - SXSW Kenneth Van Wyk (Mar 12)
- quick question - SXSW Johan Peeters (Mar 12)
- quick question - SXSW Gunnar Peterson (Mar 12)
- quick question - SXSW John Steven (Mar 14)
- quick question - SXSW Benjamin Tomhave (Mar 12)
- quick question - SXSW Arian J. Evans (Mar 12)
- quick question - SXSW Benjamin Tomhave (Mar 12)
- quick question - SXSW Arian J. Evans (Mar 12)
- quick question - SXSW William L. Anderson (Mar 12)
- quick question - SXSW Mike Lyman (Mar 14)
- quick question - SXSW Arian J. Evans (Mar 14)
- quick question - SXSW Gary McGraw (Mar 14)
- quick question - SXSW Arian J. Evans (Mar 13)
- quick question - SXSW Andrew van der Stock (Mar 26)
- <Possible follow-ups>
- quick question - SXSW Gary McGraw (Mar 12)
- quick question - SXSW Andy Steingruebl (Mar 12)
- quick question - SXSW Gary McGraw (Mar 12)