Secure Coding mailing list archives
RE: Is developer education a lost cause?
From: "Jason Wilcox" <jasonw () securenetltd com>
Date: Fri, 23 Jan 2004 00:49:56 +0000
Quite simply the problem will never be solved by simply targeting the developers. Developers are very simple people, they do what they need to in order to get the job done according to the requirements they are given and the time constraints they have. The focus needs to be on managers, project managers, customers, and consumers it's that simple. Developers in general will be happy programming securely if they weren't penalized for it. And by penalized I am talking about the extended timelines that they will require vs the developers that don't do it, or by those that recognize that if they do, they don't get the job, raise, promotion, or whatever it would be. But in general we don't talk about that side of it. Are developers a lost cause no they aren't. Is the developer the root of the problem, or in a position to solve the problem? No they are not. Jason P Wilcox Director Security Services SecureNet LTD -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth R. van Wyk Sent: Thursday, January 22, 2004 3:55 PM To: [EMAIL PROTECTED] Subject: [SC-L] Is developer education a lost cause? Hi all, Over on the Full-Disclosure mailing list, there was a recent thread that questioned whether trying to educate the end consumer of PC products is a lost cause. Malicious software has managed to dupe unsuspecting users into doing things that security professionals have frowned on for many years, despite untold numbers of news stories warning users about the problems. To many, it would appear that the computing masses are... <diplomatic>knowledge resistant</diplomatic>. :-) Well, if things are really that bad for the end consumer, how does the situation bode for the average software developer? That is, we've all seen untold numbers of news stories about buffer overflows and the like. Why is it that we don't seem to be making much progress in stamping out these things? (I should note that I am not including present company here on SC-L in this question, since we're presumably all here because we're concerned enough about secure application development that we want to discuss and learn with other like-minded folk.) Is developer education a lost cause? I happen to think that it isn't, but that opinion isn't shared by everyone. Indeed, a few of the people that I talked with about participating here on SC-L were relucant because they were fed up with trying to educate the masses. If you agree that it isn't a lost cause, then what more {c|sh}ould be done? That said, how do we measure or even know if things are improving? By the number of vulnerability advisories per month? (I hope not.) Cheers, Ken van Wyk
Current thread:
- Is developer education a lost cause? Kenneth R. van Wyk (Jan 22)
- RE: Is developer education a lost cause? Jason Wilcox (Jan 22)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)
- RE: Is developer education a lost cause? Michael S Hines (Jan 23)
- Re: Is developer education a lost cause? Pascal Meunier (Jan 23)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- <Possible follow-ups>
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
(Thread continues...)