quick question - SXSW

[ken at krvw.com (Kenneth Van Wyk)]

Ben,

Your point is a good one -- the software security community needs to  
be vigilant in reaching out to developers and spreading "the word".

FWIW, some dev conferences have done this.  I spoke at SD West in  
2006, and there was a significant security track there.  Still, it'd  
be great to see that sort of thing at more dev-specific conferences.

Cheers,

Ken van Wyk
SC-L Moderator

On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:

> First, thanks for that Bill, it exemplifies my point perfectly. A  
> couple
> thoughts...
>
> one, targeting designers is just as important as reaching out to the
> developers themselves... if the designers can ensure that security
> requirements are incorporated from the outset, then we receive an  
> added
> benefit...
>
> two, a re-phrasing around my original thought... somehow we need to  
> get
> security thinking and considerations encoded into the DNA of  
> everyone in
> the business, whether they be designers, architects, coders, analysts,
> PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
> could (should!) have had implicit and explicit security attributes
> included... yet we're still at the point where secure coding has to be
> explicitly requested/demanded (often as an afterthought or bolt-on)...
>
> How do we as infosec professionals get people to the next phase of
> including security thoughts in everything they do... with the end-goal
> being that it is then integrated fully into practices and processes  
> as a
> bona fide genetic mutation that is passed along to future generations?
>
> To me, this seems to be where infosec is stuck as an industry. There
> seems to be a need for a catalyst to spur the mutation so that it can
> have a life of its own. :)
>
> fwiw.
>
> -ben
>
> -- 
> Benjamin Tomhave, MS, CISSP
> falcon at secureconsulting.net
> LI: http://www.linkedin.com/in/btomhave
> Blog: http://www.secureconsulting.net/
> Photos: http://photos.secureconsulting.net/
> Web: http://falcon.secureconsulting.net/
>
> [ Random Quote: ]
> Augustine's Second Law of Socioscience: "For every scientific (or
> engineering) action, there is an equal and opposite social reaction."
> http://globalnerdy.com/2007/07/18/laws-of-software-development/
>
> William L. Anderson wrote:
> > Dear Ben, having just been at SXSW Interactive (I live in Austin,  
> > TX) I
> > did not see many discussions that pay attention to security, or any
> > other software engineering oriented concerns, explicitly.
> >
> > There was a discussion of scalability for web services that  
> > featured the
> > developers from digg, Flickr, WordPress, and Media Temple. I got  
> > there
> > about half-way through but the discussion with the audience was about
> > tools and methods to handle high traffic loads. There was a question
> > about build and deployment strategies and I asked about unit testing
> > (mixed answers - some love it, some think it's strong-arm micro-mgt  
> > (go
> > figure)).
> >
> > There was a session on OpenID and OAuth (open authorization)  
> > standards
> > and implementation. These discussions kind of assume the use of  
> > secure
> > transports but since I couldn't stay the whole time I don't know if
> > secure coding was addressed explicitly.
> >
> > The main developer attendees at SXSW would call themselves  
> > designers and
> > I would guess many of them are doing web development in PHP, Ruby,  
> > etc.
> > I think the majority of attendees would not classify themselves as
> > software programmers.
> >
> > To me it seems very much like at craft culture. That doesn't mean  
> > that a
> > track on how to develop secure web services wouldn't be popular. In  
> > fact
> > it might be worth proposing one for next year.
> >
> > If you want to talk further, please get in touch.
> >
> > -Bill Anderson
> > praxis101.com
> >
> > Benjamin Tomhave wrote:
> > > I had just a quick query for everyone out there, with an attached
> > > thought.
> > >
> > > How many security and/or secure coding professionals are prevalently
> > > involved with the SXSW conference this week? I know, I know...  
> > > it's a big
> > > party for developers - particularly the Web 2.0 clique - but I'm  
> > > just
> > > curious.
> > >
> > > Here's why: I'm increasingly frustrated by the disconnect between
> > > business/dev and security. I don't feel like we're being largely
> > > successful in getting the business and developers to include  
> > > security as
> > > part of their standard operating procedures. Developers are still
> > > oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
> > > holes.
> > >
> > > I then look at SXSW from afar and think: a) shouldn't I be there
> > > evangelizing security? and, b) shouldn't a major thread to all these
> > > conferences be about how security is integrating with dev  
> > > processes and
> > > practices, making it better?
> > >
> > > Maybe I'm just too idealist. I'm curious what everyone else thinks.
> > >
> > > cheers,
> > >
> > > -ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20080312/82d3b08e/attachment.bin