On 6/6/07, McGovern, James F (HTSC, IT) <[EMAIL PROTECTED]> wrote: > I really hope that this email doesn't generate a ton of offline emails and > hope that folks will talk publicly. It has been my latest thinking that the > value of tools in this space are not really targeted at developers but should > be targeted at executives who care about overall quality and security folks > who care about risk. While developers are the ones to remediate, the > accountability for secure coding resides elsewhere.
Hi there, I found this thread very interesting. It's true that developers are the ones who remediate to code insecurity and executives care about how much effort has to be spent over closing branches. Indeed I think the two categories needs a tool approaching the same problem (tell if a code follows security best practices or not) showing results in 2 "different" languages. Developers need how to know how to fix their code. Executives need to know how much these fixes cost, who will attend them and in how many time fixes will be committed. *imho* vendor has to follow developer licensing... since developer do knows ho to write code but he has to be helped in writing it in a secure way. Safe coding is a concern for both developers than executives. My 2 euro cents Ciao ciao thesp0nge -- Owasp Orizon leader orizon.sourceforge.net _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
