Secure Coding mailing list archives
Blog skiiers versus snowboarders CISSPs vs programmers
From: arian.evans at anachronic.com (Arian J. Evans)
Date: Tue, 12 Jan 2010 12:06:54 -0800
The software security problem is a huge problem. There are not enough CISSPs to even think about solving this problem. CISSPs probably should have a tactical role helping categorize, classify, and facilitate getting things done. Scanner jockeys and network security folk will lead the operational charge to WAF and block and such. (good or bad, you're gonna need this stuff, the problem is just too darn big) I don't think many good devs who enjoy building are going to want to change careers to do source code audits. That gets mind numbing awfully fast. Developers definitely have a role to play in solving a lot of the basic syntax-attack stuffs, by proper selection and application of modern frameworks, technologies, and gap-APIs (like ESAPI). Most CISSPs lack the skill to provide much value here. Design issues will always exist, unless users some day wake up and decide they prefer security over usability. But I don't see that happening any time soon. Heck, my password on all my work machines is "password". $0.02 USD. --- Arian Evans capitalist marksman. eats animals. On Tue, Jan 12, 2010 at 8:44 AM, Matt Parsons <mparsons1980 at gmail.com> wrote:
I wrote a blog in the state of software security using the analogy of skiers versus snowboarder in the early 90's. Please let me know your thoughts and comments by replying to this list or my blog. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1980 at gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- new post: The Three Domains of Application Security Benjamin Tomhave (Jan 11)
- Blog skiiers versus snowboarders CISSPs vs programmers Matt Parsons (Jan 12)
- Blog skiiers versus snowboarders CISSPs vs programmers Arian J. Evans (Jan 12)
- Blog skiiers versus snowboarders CISSPs vs programmers Benjamin Tomhave (Jan 13)
- Blog skiiers versus snowboarders CISSPs vs programmers Lindley James R (Jan 13)
- Blog skiiers versus snowboarders CISSPs vs programmers Arian J. Evans (Jan 12)
- Blog skiiers versus snowboarders CISSPs vs programmers Matt Parsons (Jan 12)