Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: "Kenneth R. van Wyk" <Ken () krvw com>
Date: Tue, 09 Dec 2003 16:06:19 +0000
On Monday 08 December 2003 17:11, Erik van Konijnenburg wrote:
Treat security as one more aspect to be covered during requirement analysis, and you may have an opportunity to get a consious decision on security from end user management.
Yes, I also like that approach a lot. And, it's an opportunity/challenge (depending on which side of the coin you're looking at) to educate the application owner about the business risks associated with the application. Ask questions _like_ "how much is this app worth to the company?", "how much will an outage of 1 {hour|day|week} cost the company in lost {revenue| customers|reputation}?". The answers to these questions should, at the very least, help drive the specifications and design. I've seen this work quite well, FWIW. Of course, it does require the development team to have an understanding of and appreciation for these issues, starting at the earliest phase of the development process--and that has to include the techies as well as management...
Of course, if you're developing COTS software, you have a much tougher job selling security.
No doubt. I think that that is at least in part due to the fact that someone developing special purpose enterprise-level applications has the benefit of knowing what the business process is that his app will be running -- hence, there's at least the potential to having a better understanding of the risks, and then preparing for them. That's not to say that special purpose apps are inherently better designed and implemented, but I believe that they often have an advantage, even if the developers are not explicitly aware of why. Cheers, Ken van Wyk
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)