Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

quick question - SXSW

From: yo at secappdev.org (Johan Peeters)
Date: Wed, 12 Mar 2008 23:56:58 +0100
I agree.

Reaching the development community, that's precisely what we are
trying to do at secappdev. Thanks for helping with that too, Ken.
I have also taken some security-related sessions to conferences such
as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU.
I would love to hear from anyone else in this niche.

kr,

Yo

On 3/12/08, Kenneth Van Wyk <ken at krvw.com> wrote:

Ben,

Your point is a good one -- the software security community needs to
be vigilant in reaching out to developers and spreading "the word".

FWIW, some dev conferences have done this.  I spoke at SD West in
2006, and there was a significant security track there.  Still, it'd
be great to see that sort of thing at more dev-specific conferences.

Cheers,

Ken van Wyk
SC-L Moderator

On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:


First, thanks for that Bill, it exemplifies my point perfectly. A
couple
thoughts...

one, targeting designers is just as important as reaching out to the
developers themselves... if the designers can ensure that security
requirements are incorporated from the outset, then we receive an
added
benefit...

two, a re-phrasing around my original thought... somehow we need to
get
security thinking and considerations encoded into the DNA of
everyone in
the business, whether they be designers, architects, coders, analysts,
PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
could (should!) have had implicit and explicit security attributes
included... yet we're still at the point where secure coding has to be
explicitly requested/demanded (often as an afterthought or bolt-on)...

How do we as infosec professionals get people to the next phase of
including security thoughts in everything they do... with the end-goal
being that it is then integrated fully into practices and processes
as a
bona fide genetic mutation that is passed along to future generations?

To me, this seems to be where infosec is stuck as an industry. There
seems to be a need for a catalyst to spur the mutation so that it can
have a life of its own. :)

fwiw.

-ben

--
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
Augustine's Second Law of Socioscience: "For every scientific (or
engineering) action, there is an equal and opposite social reaction."
http://globalnerdy.com/2007/07/18/laws-of-software-development/

William L. Anderson wrote:

Dear Ben, having just been at SXSW Interactive (I live in Austin,
TX) I
did not see many discussions that pay attention to security, or any
other software engineering oriented concerns, explicitly.

There was a discussion of scalability for web services that
featured the
developers from digg, Flickr, WordPress, and Media Temple. I got
there
about half-way through but the discussion with the audience was about
tools and methods to handle high traffic loads. There was a question
about build and deployment strategies and I asked about unit testing
(mixed answers - some love it, some think it's strong-arm micro-mgt
(go
figure)).

There was a session on OpenID and OAuth (open authorization)
standards
and implementation. These discussions kind of assume the use of
secure
transports but since I couldn't stay the whole time I don't know if
secure coding was addressed explicitly.

The main developer attendees at SXSW would call themselves
designers and
I would guess many of them are doing web development in PHP, Ruby,
etc.
I think the majority of attendees would not classify themselves as
software programmers.

To me it seems very much like at craft culture. That doesn't mean
that a
track on how to develop secure web services wouldn't be popular. In
fact
it might be worth proposing one for next year.

If you want to talk further, please get in touch.

-Bill Anderson
praxis101.com

Benjamin Tomhave wrote:

I had just a quick query for everyone out there, with an attached
thought.

How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know...
it's a big
party for developers - particularly the Web 2.0 clique - but I'm
just
curious.

Here's why: I'm increasingly frustrated by the disconnect between
business/dev and security. I don't feel like we're being largely
successful in getting the business and developers to include
security as
part of their standard operating procedures. Developers are still
oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
holes.

I then look at SXSW from afar and think: a) shouldn't I be there
evangelizing security? and, b) shouldn't a major thread to all these
conferences be about how security is integrating with dev
processes and
practices, making it better?

Maybe I'm just too idealist. I'm curious what everyone else thinks.

cheers,

-ben



_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________






-- 
Johan Peeters
http://johanpeeters.com
Previous By Date Next
Previous By Thread Next

Current thread: