WebApp Sec mailing list archives
Re: Secure Coding? Bah!
From: Mark Curphey <mark () curphey com>
Date: Thu, 22 Jan 2004 23:49:48 -0500 (EST)
Great reply and I agree with all you say. Rather than his credentials, I think I really meant "the credentials". Whats the statement based on? Where are the facts to support such a strong view? How did he arrive at that conclusion? There is no doubt business leaders care about money. A XSS issue for a big high street financial services company prob costs around $250,000 (internal costs) to deal with (start to close). Incident response, code fix, test, pre-prod, prod, legal advice, enhanced monitoring, press monitoring, corporate communications preparation, regulatory authorities notified, de-briefs. You know what, business people know that ! Another thing a business leader would tell you is there is no upside there ! <To quote:> Case in point: Microsoft spent $200 million retraining its programmers in secure coding principles. That may help reduce some brain-dead programming oversights down the line, but does anybody really think this will make Windows magically secure? </To quote:> Firstly perhaps the author can send me a brain-dead programming oversight in the language of his choice (English does not count btw) so I can understand an example he is referring to. I dont think the Windows Security Initiatve is about brain dead programming oversights ! Magically secure: Not sure where that expectation ever came in but it certianly not mine. You have to give MS credit for taking the bull by the horns and dealing with the problem. Nothings going to change overnight but if you shoot for the stars you often end up with your head in the nice bright blue sky. There is a serious program in place, lots of great documentation coming out of the MS team about building security applications (especially when compared to Sun these days). It gives me more confidence. Enough, not yet but its getting better ! I bet beers well start to see issues that Windows will be immune to soon and other OS's will have to deal with. Its all too easy to bash MS. I am just glad hes not in charge of security at any sites I use ! Personally I have stopped subscribing to all of the trade press now. Its all so out of sync with what I see in the field and the views are IMHO so sensationalized or have such a marketing bias, it was just more waste that has no value. ---- "David Wall @ Yozons, Inc." <dwall () yozons com> wrote:
Does anyone know of any information about this authors credentials to make these claims ?http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html Not to be flippant, but what credentials would be needed? He claims to have a CISSP certification, though. Overall, the claim seems rather silly and pointless, as if driving safer "is not going to happen" so there's no need to teach it. Personally, I work in industry, but while I'm not an "industry leader," I know that there are many businesses that take security seriously when it comes to creating software. I'll grant that we could have better tools to assess our progress, but one way we make more money is by providing a secure solution to our customers. That's our business, though. I've found similar concerns when dealing with IT in telecom, health, banking and brokerage firms. One solution they use is outsourcing or purchasing software that already has a focus on security. As for academia, I don't think "matriculating Ph.D.s" is required since DePaul University and California State University both offer security-related courses. In the end, security is a trade off game. Nothing has to be 100% secure, just secure enough to do business. Maybe Mr. Briney is a purist, so he find no benefit in getting better at security without having total security. Starbucks doesn't put metal detectors and armed guards in its stores, not because they don't care about security, but because the costs are higher than the benefits, including alienating their customers. I think the same is true for software. Good software is designed with security in mind from the get go, and many companies realize that good security makes for a better product. After all, nobody wants their product to be victimized in the public's eye! David --------------------------------------------- David A. E. Wall Chief Software Architect Yozons, Inc. Kirkland, Washington USA Tel 425.822.4465 david.wall () yozons com Fax 425.827.9415 www.yozons.com Cell 425.985.6519 Yozons Signed & Secured - A secure document delivery, electronic signature, spam-free, virus-free business private network - Used and proven by many in the Fortune 500 - Low cost, hosted solutions for smaller businesses
Current thread:
- Re: Secure Coding? Bah!, (continued)
- Re: Secure Coding? Bah! David Wall @ Yozons, Inc. (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! David Wall @ Yozons, Inc. (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mike Hoskins (Jan 24)
- RE: Secure Coding? Bah! Tim Greer (Jan 24)
- RE: Secure Coding? Bah! Dinis Cruz (Jan 25)