WebApp Sec mailing list archives
RE: Secure Coding? Bah!
From: <Glenn_Everhart () bankone com>
Date: Fri, 23 Jan 2004 08:48:59 -0500
The article's point seems to be yet another rant that wants to convince us that nobody can do any better than Microsoft has done, so get used to perpetual hourly patches. You get security out of software development by having a culture that demands it among the developers. Such cultures do exist, even in the commercial OS market, producing OSs with good resistance to attack. Not perfect, but needing a handful or less patches per year... Ranting that education is useless, that "everyone" demands features first last and only, that nothing can be done better than continual patches, is not innocent. It contributes to the problem because it fails to reward those who HAVE a culture of security, rewards those who have not, and reduces incentive to force improvement. (If you convince enough judges that nobody can do better, what will happen when someone wants to enforce warranties of merchantability on software sales, and hold sellers to account?) The author claims to dislike insecure code. He is powerfully encouraging its development. -----Original Message----- From: David Wall @ Yozons, Inc. [mailto:dwall () yozons com] Sent: Thursday, January 22, 2004 11:08 PM To: webappsec () securityfocus com Subject: Re: Secure Coding? Bah!
Does anyone know of any information about this authors credentials to make these claims ?
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html Not to be flippant, but what credentials would be needed? He claims to have a CISSP certification, though. Overall, the claim seems rather silly and pointless, as if driving safer "is not going to happen" so there's no need to teach it. Personally, I work in industry, but while I'm not an "industry leader," I know that there are many businesses that take security seriously when it comes to creating software. I'll grant that we could have better tools to assess our progress, but one way we make more money is by providing a secure solution to our customers. That's our business, though. I've found similar concerns when dealing with IT in telecom, health, banking and brokerage firms. One solution they use is outsourcing or purchasing software that already has a focus on security. As for academia, I don't think "matriculating Ph.D.s" is required since DePaul University and California State University both offer security-related courses. In the end, security is a trade off game. Nothing has to be 100% secure, just secure enough to do business. Maybe Mr. Briney is a purist, so he find no benefit in getting better at security without having total security. Starbucks doesn't put metal detectors and armed guards in its stores, not because they don't care about security, but because the costs are higher than the benefits, including alienating their customers. I think the same is true for software. Good software is designed with security in mind from the get go, and many companies realize that good security makes for a better product. After all, nobody wants their product to be victimized in the public's eye! David --------------------------------------------- David A. E. Wall Chief Software Architect Yozons, Inc. Kirkland, Washington USA Tel 425.822.4465 david.wall () yozons com Fax 425.827.9415 www.yozons.com Cell 425.985.6519 Yozons Signed & Secured - A secure document delivery, electronic signature, spam-free, virus-free business private network - Used and proven by many in the Fortune 500 - Low cost, hosted solutions for smaller businesses ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
Current thread:
- Re: Secure Coding? Bah!, (continued)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- Re: Secure Coding? Bah! ONEILL David J (Jan 23)
- Re: Secure Coding? Bah! Mike Hoskins (Jan 24)
- RE: Secure Coding? Bah! Robert Paris (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 24)
- RE: Secure Coding? Bah! Glenn_Everhart (Jan 23)
- RE: Secure Coding? Bah! Dinis Cruz (Jan 25)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)