<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Subject: Re: [SC-L] How do we improve s/w developer awareness?
Date: Mon, 15 Nov 2004 20:40:13 -0500
Organization: Aspect Security, Inc.
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Virus-Scanned: Secured by aspStation
Sender: [EMAIL PROTECTED]
Precedence: bulk
Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo
List-Id: Secure Coding Mailing List <sc-l.securecoding.org>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <http://www.securecoding.org/list/>
List-Unsubscribe: <http://www.securecoding.org/list/>
List-Help: <http://www.securecoding.org/list/charter.php>
List-Archive: <http://lists.virus.org>
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: moderator for [EMAIL PROTECTED]
>These metrics are all well and good, but what makes you think consumers
will
>ever be able to care about such things? Consumers have so far only cared
>about security when it directly affects them. One could argue that's how it
>should be; users should never have to worry about the software they are
>running because "bad" software should never get past the door of the
>developers.
Not to be crass, but what most consumers care about is what the vendors tell
them to. It's all about the market. Currently, the market is stuck where
vendors don't disclose anything about the security of their process and
product, and consumers don't ask. Our job is to change the market so that
it works differently.
Now you can change a market with taxation, liability (see Bruce Schneier's
most recent cryptogram for yet another plea), incentives, regulation, etc...
One of the least intrusive models, in my view, is to ensure that everyone
has the same information, and let the market sort it out.
I think you're right that the information has to be appropriate for the
consumer, or at least enough so that a reasonable software architect could
consume it. So if that's the challenge, I'm up for it.
--Jeff
