quick question - SXSW

[list-spam at secureconsulting.net (Benjamin Tomhave)]

I think you misunderstood my points a little bit. SXSW was just a 
current conference example. As Gary's pointed out, there are many 
conferences. It's possible SXSW wasn't a good example, but it was meant 
more symbolically. More comments inline...

Arian J. Evans wrote:
> 1. This is largely the wrong crowd. Designers of small web2.0 stuffs,
> particularly the domain of widgets and WS interfaces for all the usual
> suspect platforms (flickr, facebook etc.) as well as most startups:
>
> They just don't care.
>
> They will never care.
I fundamentally disagree. Everybody is the right crowd, assuming the 
message is tailored appropriately. It's precisely the perspective you 
espouse that concerns me greatly. I don't believe the security industry 
_as_a_whole_ has maintained momentum, and I attribute that directly to 
the SEP* effect. This goes directly to my larger point about ingraining 
security considerations/thoughtfulness/practices into all aspects of the 
business (not just coding, btw).

*See http://en.wikipedia.org/wiki/Somebody_Else%27s_Problem_field

> 2. This "security DNA" notion -- I don't really buy it. I don't think
> there's a big tipping point coming for "all hands in for writing secure
> software" in our near future. Maybe if people start dying because
> of insecure software, this will change, but until then ...
If everyone starts coding more responsibly, then at some point the genre 
of "secure coding" goes away, because it's inherent in everything that's 
written. Today, I'd settle for all externally-facing apps being coded to 
address the OWASP Top 10, and to get developers to think for a change 
before doing silly things like implementing client-side filtering in the 
client code.

> I do see increasing awareness is mid to large size organizations
> (fortune 2000 +). Developers are more aware and more interested
> in security, but mostly in organizations that penalize (fire or
> domote) individuals involved in public security blunders.
Hard-earned gains. How do we institutionalize these practices and get 
beyond playing the role of Law Enforcement for the security department?

> Overall security is not a feature or a function that you can monetarize.
> It's not even cool or sexy. It's an emergent behavior that is only
> observed when it is making your software harder to use.
On the first sentence, I say "yes, exactly!" On the second sentence, I 
couldn't disagree more. Security should not be "making your software 
harder to use." Address XSS, CSRF, SQL injection, and input/output 
filtering/encoding should not diminish the end-user experience. Things 
like 2-factor authentication might have that result, but we're not 
really talking about that right now.

> Not until insurance or substantial penalties are the norm (if they are
> ever the norm) will we have meaningful quantitative data to drive a
> justification for security as a requirement in startup or most open
> source software projects. That's my opinion, anyway.
I would really like for you to be wrong, but I can't really disagree 
with your base conclusion here. Hence my frustration. It provides a good 
case for shelving all security departments until the business starts 
taking major hits and they come begging for help. Honestly, I don't 
understand it. Businesses don't disagree that they need properly secured 
code/sites/etc. Yet, by the same token, they don't do what's necessary 
up front to secure their code/sites/etc. It's a truly bizarre disconnect 
that boggles my mind.

Thanks for the response! :)

-ben

-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
"A man without a goal is like a ship without a rudder."
Thomas Carlyle