Secure Coding mailing list archives
RE: Is developer education a lost cause?
From: Jeremy Epstein <jeremy.epstein () webmethods com>
Date: Fri, 30 Jan 2004 17:15:18 +0000
OK, I'll take a slightly different tack on this. I believe that developer education is a lost cause. But wait... not because developers don't care, or because they don't want to build secure code, or because their managers don't care. It's because customers don't care. Whether you're an ISV and have external customers, or whether you're developing software for in-house customers, it's only feasible to put time/money into security if customers want it. And my experience in dealing with hundreds of customers is that 99%+ care about features (including security features), and less than 1% understand or care about software quality. It's simply not a significant factor (or probably even an insignificant factor) in the buying decision. And until it is, we can say all the wonderful things we want.... investing in improved security is ALMOST always a waste of money. If as a development manager I have to go ask for more money for something that has no return, I should be shot down... there's no Return on Investment. Now I know that's controversial... but how much revenue has any vendor actually lost due to security bugs? Even with all of Microsoft's problems, it's only in their most recent quarter that they saw *any* economic impact on the purchasing side (some delayed purchases due to perceived quality)... and that's *after* they spent a lot of money trying to improve their quality. [Whether they were successful or not is another topic.] So I think training developers is mostly a waste of time & money. We should spend our time instead on convincing software purchasers that they should care. Then, and only then, is training developers worthwhile. Representing my opinions, not those of my employer, yada yada. --Jeremy
Current thread:
- Re: Is developer education a lost cause?, (continued)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)
- RE: Is developer education a lost cause? Michael S Hines (Jan 23)
- Re: Is developer education a lost cause? Pascal Meunier (Jan 23)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
- Re: Is developer education a lost cause? der Mouse (Jan 31)
- RE: Is developer education a lost cause? Jeremy Epstein (Feb 02)
- Re: Is developer education a lost cause? jeff . williams (Feb 02)
- RE: Is developer education a lost cause? Brad Arkin (Feb 04)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)