Secure Coding mailing list archives
Unclassified NSA document on .NET 2.0 Framework Security
From: leichter_jerrold at emc.com (Jerry Leichter)
Date: Wed, 26 Nov 2008 13:43:35 -0500
On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:
Hi Gunnar, I apologize to everybody if I have come across as being harsh.From my 8 years of experience of living in Asia and being activelyinvolved as a developer and working with developers (at Microsoft as its first .NET Regional Developer Evangelist in 2001 to recently at Symantec as the first Secure Application Services consultant for APAC), IMO there's a big gap between the maturity of software security here vs. Europe vs. West Coast USA vs. East Coast USA. The culture is different and even in the situation that a software developer cared and wanted to implement software security, in many countries they could get in a lot of trouble for upstaging their boss and making him or her "lose face". The responsibility of secure software is not at the developer level in most cases....
This has really important implications, and is worthy of thought and discussion. On the one hand, *right now*, it justifies the complaints about outsourcing: That you really can't trust software produced in Asia. On the other hand, the (relative) command-and-control nature of development in Asia means that, should management there decide that security is an important issue - and since given the nature of their business, they are very sensitive to customer demand, that would mean that their customers tell them unambiguously that it's what they'll be judged on *and actually act that way* - Asian outsourcers are likely to be much more effective at getting their organizations to focus on secure practices than we are here in the more free-wheeling West. -- Jerry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20081126/86e87825/attachment.html
Current thread:
- Unclassified NSA document on .NET 2.0 Framework Security, (continued)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gary McGraw (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Message not available
- Unclassified NSA document on .NET 2.0 Framework Security Gunnar Peterson (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 26)
- Regional differences in software security Gary McGraw (Nov 26)
- Regional differences in software security Kenneth Van Wyk (Nov 26)
- Regional differences in software security Stephen Craig Evans (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Susan Bradley (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Jerry Leichter (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Stephen Craig Evans (Nov 26)
- Unclassified NSA document on .NET 2.0 Framework Security Andy Steingruebl (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security ljknews (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Shea, Brian A (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Susan Bradley, CPA (Nov 25)
- Unclassified NSA document on .NET 2.0 Framework Security Dana Epp (Nov 25)