Secure Coding mailing list archives

RE: Is developer education a lost cause?

From: "Robert Shields" <rshields () star net uk>
Date: Fri, 23 Jan 2004 14:27:15 +0000

A developer only writes code to meet project requirements. The
requirements for a typical project will not mention security, and even
if it did, how would you test whether or not an application is secure? A
typical tester will not be able to test this unless they are specially
trained. Thus, the decision to write secure code needs to made at a
managment level and incorporated into company wide policy.

Rob Shields
Software Engineer
Star Internet Ltd

-----Original Message-----
From: Jason Wilcox [mailto:[EMAIL PROTECTED] 
Sent: 22 January 2004 23:30
To: 'Kenneth R. van Wyk'; [EMAIL PROTECTED]
Subject: RE: [SC-L] Is developer education a lost cause?

Quite simply the problem will never be solved by simply 
targeting the developers. Developers are very simple people, 
they do what they need to in order to get the job done 
according to the requirements they are given and the time 
constraints they have.

The focus needs to be on managers, project managers, 
customers, and consumers it's that simple. Developers in 
general will be happy programming securely if they weren't 
penalized for it. And by penalized I am talking about the 
extended timelines that they will require vs the developers 
that don't do it, or by those that recognize that if they do, 
they don't get the job, raise, promotion, or whatever it 
would be. But in general we don't talk about that side of it. 

Are developers a lost cause no they aren't. Is the developer 
the root of the problem, or in a position to solve the 
problem? No they are not.

Jason P Wilcox
Director Security Services
SecureNet LTD

-----Original Message-----
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kenneth R. van Wyk
Sent: Thursday, January 22, 2004 3:55 PM
To: [EMAIL PROTECTED]
Subject: [SC-L] Is developer education a lost cause?

Hi all,

Over on the Full-Disclosure mailing list, there was a recent 
thread that 
questioned whether trying to educate the end consumer of PC 
products is a 
lost cause.  Malicious software has managed to dupe 
unsuspecting users into 
doing things that security professionals have frowned on for 
many years, 
despite untold numbers of news stories warning users about 
the problems.  
To many, it would appear that the computing masses are... 
<diplomatic>knowledge resistant</diplomatic>.  :-)

Well, if things are really that bad for the end consumer, how 
does the 
situation bode for the average software developer?  That is, 
we've all seen 
untold numbers of news stories about buffer overflows and the 
like.  Why is 
it that we don't seem to be making much progress in stamping 
out these 
things?  (I should note that I am not including present 
company here on 
SC-L in this question, since we're presumably all here because we're 
concerned enough about secure application development that we want 
to discuss and learn with other like-minded folk.)

Is developer education a lost cause?  

I happen to think that it isn't, but that opinion isn't 
shared by everyone. 
Indeed, a few of the people that I talked with about 
participating here on 
SC-L were relucant because they were fed up with trying to 
educate the 
masses.  

If you agree that it isn't a lost cause, then what more 
{c|sh}ould be done?

That said, how do we measure or even know if things are 
improving?  By the 
number of vulnerability advisories per month?  (I hope not.)  

Cheers,

Ken van Wyk

This e-mail has been scanned for all viruses by Star 
Internet. The service is powered by MessageLabs. For more 
information on a proactive anti-virus service working around 
the clock, around the globe, visit: http://www.star.net.uk 
_____________________________________________________________________


This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
_____________________________________________________________________

Current thread:

Is developer education a lost cause? Kenneth R. van Wyk (Jan 22)
- RE: Is developer education a lost cause? Jason Wilcox (Jan 22)
- Re: Is developer education a lost cause? Joe Teff (Jan 22)
  - RE: Is developer education a lost cause? Michael S Hines (Jan 23)
- Re: Is developer education a lost cause? Pascal Meunier (Jan 23)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
  - Re: Is developer education a lost cause? George Capehart (Jan 23)
- <Possible follow-ups>
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
  - Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
  - Re: Is developer education a lost cause? der Mouse (Jan 31)
- RE: Is developer education a lost cause? Jeremy Epstein (Feb 02)
- Re: Is developer education a lost cause? jeff . williams (Feb 02)
- RE: Is developer education a lost cause? Brad Arkin (Feb 04)