Re: Interesting article ZDNet re informal software development quality

[George Capehart <gwc () acm org>]

On Thursday 08 January 2004 05:54 pm, Alun Jones wrote:

<snip>

> It's never the easy problems that get the good discussions going :-)

*grin*

> Many programmers are well aware of what needs to be done to get good
> security, but few feel like they have the time to do so.  I'm never
> satisfied that I've spent enough time securing what I release, but I
> have to cut off at some point so that I can get some income to fund
> further work. Part of good security is balancing security against
> features and risk.

<rant>

But that's what the risk management process is (supposed to be) all 
about.  That's what the certification and accreditation process is all 
about.  That's what the CMM and SSE-CMM are all about.  It is not the 
developer's job to be worried about what needs to be done to get good 
security.  *That* is part of the requirements.  If it's not a 
requirement, then the system owner signs off on it and accepts the 
risk.  Developers are *not* risk managers.  I agree 1000% with your 
position that part of good security is balancing the cost of the 
process and controls against features and risk.  But the decision about 
how much residual risk will be accepted is up to the business owner of 
the system, *not* the developer . . . It's a business decision, not a 
technical one . . . I just don't think it's appropriate or fair for a 
developer (or engineer or operator) to take on the burden of deciding 
how processes must be executed, what controls are to be put in place, 
etc.  Those kinds of things are derived from corporate information 
security policy.  If it ain't there, the corporation has a major 
governance problem . . . It certainly isn't the developer's problem.

> Security is not an absolute.

Absolutely!  ;)

"Security is a process . . ." - Bruce Schneier.

</rant>

ttfn,

George