Unclassified NSA document on .NET 2.0 Framework Security

[leichter_jerrold at emc.com (Jerry Leichter)]

On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:

> Hi Gunnar,
>
> I apologize to everybody if I have come across as being harsh.
>
> > From my 8 years of experience of living in Asia and being actively
> involved as a developer and working with developers (at Microsoft as
> its first .NET Regional Developer Evangelist in 2001 to recently at
> Symantec as the first Secure Application Services consultant for
> APAC), IMO there's a big gap between the maturity of software security
> here vs. Europe vs. West Coast USA vs. East Coast USA.
>
> The culture is different and even in the situation that a software
> developer cared and wanted to implement software security, in many
> countries they could get in a lot of trouble for upstaging their boss
> and making him or her "lose face".
>
> The responsibility of secure software is not at the developer level in
> most cases....
This has really important implications, and is worthy of thought and  
discussion.

On the one hand, *right now*, it justifies the complaints about  
outsourcing:  That you really can't trust software produced in Asia.   
On the other hand, the (relative) command-and-control nature of  
development in Asia means that, should management there decide that  
security is an important issue - and since given the nature of their  
business, they are very sensitive to customer demand, that would mean  
that their customers tell them unambiguously that it's what they'll be  
judged on *and actually act that way* - Asian outsourcers are likely  
to be much more effective at getting their organizations to focus on  
secure practices than we are here in the more free-wheeling West.

                                                         -- Jerry


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20081126/86e87825/attachment.html