Making software secure should be a requirement of the development process. I've had the priviledge to have worked on some very good projects where the managers emphasised security in the beginning of the projects life cycle since it was a requirement of the client.
Unfourtunately, functionality for users takes precedence and Security is usually left as an add-on at the end in most places. This is down to managers and the business/clients not giving security the right focus. I've been told on atleast two projects not to worry about security "because we have a firewall"! Even if they can be convinced of the benefits of security in depth etc, they still don't want to do it. That is the mentality that many developers are up against. Couple that to demands on budget and deadlines, it is no wonder that so much software is insecure. ys ----- Original Message ----- From: Gunnar Peterson <[EMAIL PROTECTED]> To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> Subject: Re: [SC-L] How do we improve s/w developer awareness? Date: Thu, 11 Nov 2004 10:34:24 -0600 > > I agree. In general "classic" IT Security types are too focused on the problem > and not focused enough on the solution side of the equation. Development is in > many cases simply blissfully unaware of real security or thinks its someone > else's job. In terms of dealing with developers and getting them to care, > Gary's books and Secure Coding are excellent resources for motivated > developers. I think it is important to understand that there a lot of problems > with software, not just security problems. Studying how, say, usability > architects approach software problems is instructive in how security personnel > may effectively engage developers. If you read this thread from Edward Tufte's > site, then you see that leading usability people have no more easy answers > than > software security people: > > http://www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=0000D8&topic_id=1&topic=Ask%20E%2eT%2e > > If we say that the value of software is tied to how usable, reliable and > secure > the software is, then how do we get developers to care about *-ility? > > *-ilities unite! > > -gp > > Quoting "Kenneth R. van Wyk" <[EMAIL PROTECTED]>: > > > Greetings, > > > > In my business travels, I spend quite a bit of time talking with Software > > Developers as well as IT Security folks. One significant different that > > I've > > found is that the IT Security folks, by and large, tend to pay a lot of > > attention to software vulnerability and attack information while most of the > > Dev folks that I talk to are blissfully unaware of the likes of > > Full-Disclosure, Bugtraq, PHRACK, etc. I haven't collected any real stats, > > but it seems to me to be at least a 90/10% and 10/90% difference. (Yes, I > > know that this is a gross generalization and there are no doubt significant > > exceptions, but...) > > > > I believe that this presents a significant hurdle to getting Dev folks to > > care > > about Software Security issues. Books like Gary McGraw's Exploiting > > Software > > do a great job at explaining how software can be broken, which is a great > > first step, but it's only a first step. > > > > Am I alone in this opinion or have others noticed the same sort of thing? > > It's going to be a long, slow battle, in my opinion. > > > > Cheers, > > > > Ken > > -- > > KRvW Associates, LLC > > http://www.KRvW.com > > > > > -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
