Re: How do we improve s/w developer awareness?

[Nick Murison <nick () urgusabic net>]

[ Apologies to moderator for the resend.  I've not PGP/MIME signed this
  one, as I guess that's the reason for the last copy disappearing. ]
[Ed. Apologies back at ya, as I'm on the road this week and trying my best
to deal with a brain-damaged web emailer. KRvW]

On Fri, Nov 12, 2004 at 08:24:59AM -0500, Jeff Williams wrote:
> In my opinion, the way out of this trap is to get more information to
> consumers about the security in software.  Information like how many lines
> of code, what languages, what libraries, process used, security testing
> done, mechanisms included, and other information can and should be
> disclosed.

These metrics are all well and good, but what makes you think consumers will
ever be able to care about such things?  Consumers have so far only cared
about security when it directly affects them.  One could argue that's how it
should be; users should never have to worry about the software they are
running because "bad" software should never get past the door of the
developers.

Providing consumers with assurances about the security of their systems strikes me as a good idea,
and this is how
it's worked for government contracts.
However, they need to be in terms which the average consumer will a) understand and b) care about.

What would be nice to see would be some form of competition based on
security, and not just the latest wiz-bangs in Grokulator 4.3.  How exactly
you get consumers to care about these things before it immediately affects
them is the question we should be looking at.

Regards,
-- 
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net