Secure Coding mailing list archives

OWASP Publicity

From: crispin at crispincowan.com (Crispin Cowan)
Date: Thu, 15 Nov 2007 12:28:47 -0800

McGovern, James F (HTSC, IT) wrote:

I have observed an interesting behavior in that the vast majority of IT
executives still haven't heard about the principles behind secure
coding. My take says that we are publishing information in all the wrong
places. IT executives don't really read ACM, IEEE or other the sporadic
posting from bloggers but they do read CIO, Wall Street Journal and most
importantly listen to each other.

What do folks on this list think about asking the magazines and
newspapers to publish? I am willing to gather contact information of
news reporters and others within the media if others are willing to
amplify the call to action in terms of contacting them.

The vast majority of IT executives are unfamiliar with all of the
principles of security, firewalls, coding, whatever.

The important thing to understand is that such principles are below
their granularity; then are *right* to not care about such principles,
because they can't do anything about them. Their granularity of decision
making is which products to buy, which strategies to adopt, which
managers to hire and fire. Suppose they did understand the principles of
secure coding; how then would they use that to decide between firewalls?
Web servers? Application servers?

If anything, the idea that needs to be pitched to IT executives is to
pay more attention to "quality" than to shiny buttons & features. But
there's the rub, what is "quality" and how can an IT executive measure it?

I have lots of informal metrics that I use to measure quality, but they
largely amount to synthesized reputation capital, derived from reading
bugtraq and the like with respect to how many vulnerabilities I see with
respect to a given product, e.g. Qmail and Postifx are extremely secure,
Pidgin not so much :)

But as soon as we formalize anything like this kind of metric, and get
executives to start buying according to it, then vendors start gaming
the system. They start developing aiming at getting the highest
whatever-metric score they can, rather than for actual quality. This
happens because metrics that approximate quality are always cheaper to
achieve than actual quality.

This is a very, very hard problem, and sad to say, but pitching articles
articles on principles to executives won't solve it.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux               http://mercenarylinux.com/
               Itanium. Vista. GPLv3. Complexity at work

Current thread:

Code review pool Paolo Perego (Nov 05)
- Code review pool ljknews (Nov 05)
- Message not available
  - Code review pool Paolo Perego (Nov 05)
- OWASP Publicity McGovern, James F (HTSC, IT) (Nov 15)
  - OWASP Publicity Crispin Cowan (Nov 15)
    - OWASP Publicity Bernie Rosen (Nov 15)
    - OWASP Publicity der Mouse (Nov 15)
    - OWASP Publicity Leichter, Jerry (Nov 16)
    - OWASP Publicity Crispin Cowan (Nov 16)
    - OWASP Publicity Benjamin Tomhave (Nov 18)
    - OWASP Publicity James Stibbards (Nov 19)
    - OWASP Publicity Benjamin Tomhave (Nov 19)
    - OWASP Publicity McGovern, James F (HTSC, IT) (Nov 19)
  - OWASP Publicity Gunnar Peterson (Nov 15)