The vast majority of IT executives are unfamiliar with all of the principles of security, firewalls, coding, whatever.
Are they unfamiliar because of background or they feel that their staff has a handle on it and therefore don't need to pay much atention to it. Both have different characteristics in terms of getting the word out. The important thing to understand is that such principles are below their granularity; then are *right* to not care about such principles, because they can't do anything about them. Their granularity of decision making is which products to buy, which strategies to adopt, which managers to hire and fire. Suppose they did understand the principles of secure coding; how then would they use that to decide between firewalls? Web servers? Application servers? Executives don't need to care about the details but they can care enough to embrace the notion of procuring secure software. They can care about the fact that much of their code that they outsource doesn't have any metrics attached to them and that acceptance shouldn't be on meeting functionality alone. If anything, the idea that needs to be pitched to IT executives is to pay more attention to "quality" than to shiny buttons & features. But there's the rub, what is "quality" and how can an IT executive measure it? The best way for IT executives to measure things are metrics that indicate a trend. Regardless of what they decide to measure, it should trend positive. I have lots of informal metrics that I use to measure quality, but they largely amount to synthesized reputation capital, derived from reading bugtraq and the like with respect to how many vulnerabilities I see with respect to a given product, e.g. Qmail and Postifx are extremely secure, Pidgin not so much :) But as soon as we formalize anything like this kind of metric, and get executives to start buying according to it, then vendors start gaming the system. They start developing aiming at getting the highest whatever-metric score they can, rather than for actual quality. This happens because metrics that approximate quality are always cheaper to achieve than actual quality. This is a very, very hard problem, and sad to say, but pitching articles articles on principles to executives won't solve it. My notion wasn't just pitching to them as this is what has occured to date. I was also suggesting that the media take on secure coding has to go well beyond the frequent consultant and vendor types that post here. If you think for a moment about other successful marketing campaigns in IT such as CMMi, ITIL, etc, the vast majority of executives know and embrace it but can't tell you who even invented it as the community let it grow past the founding members. We haven't yet came to same realization here... Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin CEO, Mercenary Linux http://mercenarylinux.com/ Itanium. Vista. GPLv3. Complexity at work ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. *************************************************************************
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________