Secure Coding mailing list archives
Re: Interesting article ZDNet re informal software development quality
From: George Capehart <gwc () acm org>
Date: Fri, 09 Jan 2004 01:24:24 +0000
On Thursday 08 January 2004 05:54 pm, Alun Jones wrote: <snip>
It's never the easy problems that get the good discussions going :-)
*grin*
Many programmers are well aware of what needs to be done to get good security, but few feel like they have the time to do so. I'm never satisfied that I've spent enough time securing what I release, but I have to cut off at some point so that I can get some income to fund further work. Part of good security is balancing security against features and risk.
<rant> But that's what the risk management process is (supposed to be) all about. That's what the certification and accreditation process is all about. That's what the CMM and SSE-CMM are all about. It is not the developer's job to be worried about what needs to be done to get good security. *That* is part of the requirements. If it's not a requirement, then the system owner signs off on it and accepts the risk. Developers are *not* risk managers. I agree 1000% with your position that part of good security is balancing the cost of the process and controls against features and risk. But the decision about how much residual risk will be accepted is up to the business owner of the system, *not* the developer . . . It's a business decision, not a technical one . . . I just don't think it's appropriate or fair for a developer (or engineer or operator) to take on the burden of deciding how processes must be executed, what controls are to be put in place, etc. Those kinds of things are derived from corporate information security policy. If it ain't there, the corporation has a major governance problem . . . It certainly isn't the developer's problem.
Security is not an absolute.
Absolutely! ;) "Security is a process . . ." - Bruce Schneier. </rant> ttfn, George
Current thread:
- Re: Interesting article ZDNet re informal software development quality, (continued)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Kenneth R. van Wyk (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 06)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Bruce Ediger (Jan 07)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 07)
- RE: Interesting article ZDNet re informal software development quality Alun Jones (Jan 07)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 08)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 08)
- RE: Interesting article ZDNet re informal software development quality Alun Jones (Jan 08)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 08)
- Re: Interesting article ZDNet re informal software development quality Bruce Ediger (Jan 09)
- Re: Interesting article ZDNet re informal software development quality Brian Utterback (Jan 09)
- Re: Interesting article ZDNet re informal software development quality George Capehart (Jan 10)
- Re: Interesting article ZDNet re informal software development quality Kenneth R. van Wyk (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Brian Hetrick (Jan 07)
- RE: Interesting article ZDNet re informal software development quality David Crocker (Jan 06)
- Re: Interesting article ZDNet re informal software development quality Crispin Cowan (Jan 09)