Secure Coding mailing list archives

Customer Demand

From: andrews at rbacomm.com (Brad Andrews)
Date: Fri, 21 Aug 2009 11:08:32 -0500



While no customer is likely to say they don't care about software  
working now that we are past Y2K, they don't think about it at all and  
are unlikely to allow any schedule slippage to allow for making sure  
that is true.

Customers only really care about the things they will pay for.  Many  
companies claim they "can't stand" poor software or services, but they  
still pay for them, so they will keep getting them.

Until we convince them that good security really is important and that  
they must demand and pay for it, we won't make the progress we want to  
make.

How many companies wouldn't even be doing the PCI level of effort if  
they weren't forced to do so?  How many strictly limit it to their  
"PCI environment" rather than looking at the risk to the whole  
enterprise?  Even major breaches don't help since the "it can't happen  
here" attitude is common all over, in spite of the fact it is a risky  
stance.

While part of this is just a cynical rant, I think the base point is  
that we have a whole lot more selling to do on the need for software  
security before we can properly place it throughout the curriculum.   
That sales job is hard.  The fact a few people have "gotten it"  
doesn't mean most have or that we are completely ready for the next  
step.

I realize many here may not be saying that, but that is the message I  
get stepping back.  And I am a dreamer/visionary.  I like to think  
well ahead of things, but focusing too much there makes us likely to  
continue to be a niche area, leaving lots of vulnerabilities.

Wouldn't a better focus be on the customer demand end?  Stirring that  
up will do more to advance secure development than any number of  
maturity models.  Unfortunately, it is a much more difficult task.  I  
would bet it is also not as conceptually interesting to many.

-- 

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Martin Gilje Jaatun <secse-chair at sislab.no>:

His stance on this
is that "if security were important to the customer, the customer would
provide and prioritize security requirements". To me, this is a bit like
saying "If the customer doesn't explicitly state that the software
should be Y2k-proof, he/she is not really bothered about it".

Current thread:

Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?), (continued)
- - - Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?) Gary McGraw (Aug 21)
    - Functional Correctness Brad Andrews (Aug 21)
    - Functional Correctness Gary McGraw (Aug 21)
    - Functional Correctness Brad Andrews (Aug 21)
    - Functional Correctness Cassidy, Colin (GE Infra, Energy) (Aug 22)
    - Functional Correctness Pravir Chandra (Aug 24)
    - Where Does Secure Coding Belong In the Curriculum? McGovern, James F (HTSC, IT) (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 25)
    - Where Does Secure Coding Belong In the Curriculum? Wall, Kevin (Aug 25)
    - Functional Correctness Jim Manico (Aug 21)
    - Customer Demand Brad Andrews (Aug 21)
    - Customer Demand Goertzel, Karen [USA] (Aug 21)
    - Customer Demand Brad Andrews (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Gary McGraw (Aug 20)
  - Where Does Secure Coding Belong In the Curriculum? Goertzel, Karen [USA] (Aug 20)
    - Where Does Secure Coding Belong In the Curriculum? Neil Matatall (Aug 20)
    - Where Does Secure Coding Belong In the Curriculum? Robert Seacord (Aug 21)
  - Where Does Secure Coding Belong In the Curriculum? Rob Floodeen (Aug 21)
    - Grading Secure Programs Brad Andrews (Aug 21)
    - Grading Secure Programs Julie J.C.H. Ryan, D.Sc. (Aug 21)
- Where Does Secure Coding Belong In the Curriculum? Mike Lyman (Aug 21)

(Thread continues...)