Unclassified NSA document on .NET 2.0 Framework Security

[stephencraig.evans at gmail.com (Stephen Craig Evans)]

Whenever I speak with a customer or any software decision makers, I
implore them, before buying another vendor's software, or
hiring/contracting a 3rd party development firm, to ask a couple of
simple questions: "What do you do for software security?", and "Can
you send me some documents about your software security practices?".

> From my experience, that will stop at least 95% of them in their tracks.

There are lots of country-specific 5 to 30 person software shops
located in the major Asian business centers. But even if, say, IBM is
the main contractor to a client of mine, those questions can still be
asked of IBM, and it's their responsibility to get the answers from
the small software shop (and my client will have the documentation as
a "trust but verify" check for later use).

Stephen

On 11/27/08, Jerry Leichter <leichter_jerrold at emc.com> wrote:
> On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:
>
>
>
> Hi Gunnar,
>
>  I apologize to everybody if I have come across as being harsh.
>
>  >From my 8 years of experience of living in Asia and being actively
>  involved as a developer and working with developers (at Microsoft as
>  its first .NET Regional Developer Evangelist in 2001 to recently at
>  Symantec as the first Secure Application Services consultant for
>  APAC), IMO there's a big gap between the maturity of software security
>  here vs. Europe vs. West Coast USA vs. East Coast USA.
>
>  The culture is different and even in the situation that a software
>  developer cared and wanted to implement software security, in many
>  countries they could get in a lot of trouble for upstaging their boss
>  and making him or her "lose face".
>
>  The responsibility of secure software is not at the developer level in
>  most cases....This has really important implications, and is worthy of
> thought and discussion.
>
> On the one hand, *right now*, it justifies the complaints about outsourcing:
>  That you really can't trust software produced in Asia.  On the other hand,
> the (relative) command-and-control nature of development in Asia means that,
> should management there decide that security is an important issue - and
> since given the nature of their business, they are very sensitive to
> customer demand, that would mean that their customers tell them
> unambiguously that it's what they'll be judged on *and actually act that
> way* - Asian outsourcers are likely to be much more effective at getting
> their organizations to focus on secure practices than we are here in the
> more free-wheeling West.
>
>
>                                                         -- Jerry