RE: Is developer education a lost cause?

[Jeremy Epstein <jeremy.epstein () webmethods com>]

OK, I'll take a slightly different tack on this.

I believe that developer education is a lost cause.  But wait... not because
developers don't care, or because they don't want to build secure code, or
because their managers don't care.  It's because customers don't care.

Whether you're an ISV and have external customers, or whether you're
developing software for in-house customers, it's only feasible to put
time/money into security if customers want it.  And my experience in dealing
with hundreds of customers is that 99%+ care about features (including
security features), and less than 1% understand or care about software
quality.  It's simply not a significant factor (or probably even an
insignificant factor) in the buying decision.  And until it is, we can say
all the wonderful things we want.... investing in improved security is
ALMOST always a waste of money.  If as a development manager I have to go
ask for more money for something that has no return, I should be shot
down... there's no Return on Investment.

Now I know that's controversial... but how much revenue has any vendor
actually lost due to security bugs?  Even with all of Microsoft's problems,
it's only in their most recent quarter that they saw *any* economic impact
on the purchasing side (some delayed purchases due to perceived quality)...
and that's *after* they spent a lot of money trying to improve their
quality.  [Whether they were successful or not is another topic.]

So I think training developers is mostly a waste of time & money.  We should
spend our time instead on convincing software purchasers that they should
care.  Then, and only then, is training developers worthwhile.

Representing my opinions, not those of my employer, yada yada.

--Jeremy