quick question - SXSW

[arian.evans at anachronic.com (Arian J. Evans)]

So two thoughts Ben, purely my 0.02 USD:

1. This is largely the wrong crowd. Designers of small web2.0 stuffs,
particularly the domain of widgets and WS interfaces for all the usual
suspect platforms (flickr, facebook etc.) as well as most startups:

They just don't care.

They will never care.

SXSW has "* long tail" and "* design pattern" 2007 buzzword
compliant presentations.

You could probably get a snazzy "top 5 web2.0 security mistakes
everyone is making" or "Top 5 Security Design-Patterns" in there,
but I don't think it's the right audience. OSCON might be a better
fit, if you praise Ruby and release some open source "security" project.

2. This "security DNA" notion -- I don't really buy it. I don't think
there's a big tipping point coming for "all hands in for writing secure
software" in our near future. Maybe if people start dying because
of insecure software, this will change, but until then ...

I do see increasing awareness is mid to large size organizations
(fortune 2000 +). Developers are more aware and more interested
in security, but mostly in organizations that penalize (fire or
domote) individuals involved in public security blunders.

Overall security is not a feature or a function that you can monetarize.
It's not even cool or sexy. It's an emergent behavior that is only
observed when it is making your software harder to use.

Not until insurance or substantial penalties are the norm (if they are
ever the norm) will we have meaningful quantitative data to drive a
justification for security as a requirement in startup or most open
source software projects. That's my opinion, anyway.

---
Arian J. Evans
Software Security Stuff


On Wed, Mar 12, 2008 at 2:31 PM, Benjamin Tomhave
<list-spam at secureconsulting.net> wrote:
> First, thanks for that Bill, it exemplifies my point perfectly. A couple
>  thoughts...
>
>  one, targeting designers is just as important as reaching out to the
>  developers themselves... if the designers can ensure that security
>  requirements are incorporated from the outset, then we receive an added
>  benefit...
>
>  two, a re-phrasing around my original thought... somehow we need to get
>  security thinking and considerations encoded into the DNA of everyone in
>  the business, whether they be designers, architects, coders, analysts,
>  PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
>  could (should!) have had implicit and explicit security attributes
>  included... yet we're still at the point where secure coding has to be
>  explicitly requested/demanded (often as an afterthought or bolt-on)...
>
>  How do we as infosec professionals get people to the next phase of
>  including security thoughts in everything they do... with the end-goal
>  being that it is then integrated fully into practices and processes as a
>  bona fide genetic mutation that is passed along to future generations?
>
>  To me, this seems to be where infosec is stuck as an industry. There
>  seems to be a need for a catalyst to spur the mutation so that it can
>  have a life of its own. :)
>
>  fwiw.
>
>
>  -ben
>
>  --
>  Benjamin Tomhave, MS, CISSP
>  falcon at secureconsulting.net
>  LI: http://www.linkedin.com/in/btomhave
>  Blog: http://www.secureconsulting.net/
>  Photos: http://photos.secureconsulting.net/
>  Web: http://falcon.secureconsulting.net/
>
>  [ Random Quote: ]
>  Augustine's Second Law of Socioscience: "For every scientific (or
>  engineering) action, there is an equal and opposite social reaction."
>  http://globalnerdy.com/2007/07/18/laws-of-software-development/
>
>
>
>  William L. Anderson wrote:
>  > Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I
>  > did not see many discussions that pay attention to security, or any
>  > other software engineering oriented concerns, explicitly.
>  >
>  > There was a discussion of scalability for web services that featured the
>  > developers from digg, Flickr, WordPress, and Media Temple. I got there
>  > about half-way through but the discussion with the audience was about
>  > tools and methods to handle high traffic loads. There was a question
>  > about build and deployment strategies and I asked about unit testing
>  > (mixed answers - some love it, some think it's strong-arm micro-mgt (go
>  > figure)).
>  >
>  > There was a session on OpenID and OAuth (open authorization) standards
>  > and implementation. These discussions kind of assume the use of secure
>  > transports but since I couldn't stay the whole time I don't know if
>  > secure coding was addressed explicitly.
>  >
>  > The main developer attendees at SXSW would call themselves designers and
>  > I would guess many of them are doing web development in PHP, Ruby, etc.
>  > I think the majority of attendees would not classify themselves as
>  > software programmers.
>  >
>  > To me it seems very much like at craft culture. That doesn't mean that a
>  > track on how to develop secure web services wouldn't be popular. In fact
>  > it might be worth proposing one for next year.
>  >
>  > If you want to talk further, please get in touch.
>  >
>  > -Bill Anderson
>  > praxis101.com
>  >
>  > Benjamin Tomhave wrote:
>  >> I had just a quick query for everyone out there, with an attached
>  >> thought.
>  >>
>  >> How many security and/or secure coding professionals are prevalently
>  >> involved with the SXSW conference this week? I know, I know... it's a big
>  >> party for developers - particularly the Web 2.0 clique - but I'm just
>  >> curious.
>  >>
>  >> Here's why: I'm increasingly frustrated by the disconnect between
>  >> business/dev and security. I don't feel like we're being largely
>  >> successful in getting the business and developers to include security as
>  >> part of their standard operating procedures. Developers are still
>  >> oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
>  >> holes.
>  >>
>  >> I then look at SXSW from afar and think: a) shouldn't I be there
>  >> evangelizing security? and, b) shouldn't a major thread to all these
>  >> conferences be about how security is integrating with dev processes and
>  >> practices, making it better?
>  >>
>  >> Maybe I'm just too idealist. I'm curious what everyone else thinks.
>  >>
>  >> cheers,
>  >>
>  >> -ben
>  >>
>  >
>  >
>
>  _______________________________________________
>  Secure Coding mailing list (SC-L) SC-L at securecoding.org
>  List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>  List charter available at - http://www.securecoding.org/list/charter.php
>  SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>  as a free, non-commercial service to the software security community.
>  _______________________________________________