Secure Coding mailing list archives
Re: Is developer education a lost cause?
From: jeff.williams () aspectsecurity com
Date: Tue, 03 Feb 2004 01:08:45 +0000
Jeremy, You just can't be right ;-) It's not because customers don't care, but because there's no good way for them to tell a secure product from snakeoil. This is a classic market failure -- asymmetric information between buyers and sellers. You should read "The Market for Lemons" which won George Akerlof the Nobel Prize for Economics (see http://en.wikipedia.org/wiki/The_Market_for_Lemons). In it, Akerlof describes how even a market with adequate supply and demand can break down in the face of asymmetric information. "The paper describes the secondhand market for used cars. Some cars are in good working order -- these are referred to as jewels; Some have hidden defects -- these are called lemons. Yet because buyers don't know which cars are the lemons -- in this asymmetric market -- the market price of even a good car decreases. Thus, sellers of good cars are less economically inclined to sell their cars, and a rational market will only be filled with bad cars." Sound familiar? The software market is filled with bad software because it is very difficult to tell which applications are lemons. The only way out of this trap is to make it easier to tell insecure apps from secure ones. I hate to say it, but this kind of market failure may require some form of government intervention -- tort claims, tax incentives, mandatory disclosure, or something. Oh, and the Common Criteria ain't it. Okay, so maybe you're right for the wrong reason. If we want more secure code, we better fix the "security information" market first. We need to shoot for a "fair" information market where everyone has the same information. Then market forces actually work for security. Only then does developer education become critical. For now, only isolated pockets of software development that are shielded somehow from this market failure will be very interested in security training. They *do* exist sporadically in the Global2000 and DoD, in projects like sensitive intranet web apps/services and high profile internet web applications. They take our classes and we're helping them improve their SDLC so it produces secure code. --Jeff Jeff Williams Aspect Security http://www.aspectsecurity.com ----- Original Message ----- From: Jeremy Epstein To: der Mouse ; [EMAIL PROTECTED] Sent: Monday, February 02, 2004 9:29 AM Subject: RE: [SC-L] Is developer education a lost cause? Glad to see someone is taking my bait :-) -----Original Message----- From: der Mouse [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 5:57 PM To: [EMAIL PROTECTED] Subject: Re: [SC-L] Is developer education a lost cause?
I believe that developer education is a lost cause. [...] It's because customers don't care. [...]
Actually, I think this is only partially true. It's certainly true in the mass-market end-user millions-of-copies world, but I believe it is much less true - perhaps to the point of being false - in the higher-end market where you expect to sell perhaps a few dozen copies. My contact with that market is minimal, but I did once work at a company that aimed at it. so this opinion is not _total_ armchair quarterbacking. I guess we all have our limited subsets of customers. I talk to high end customers (Global 2000), and this is what I see. I'm sure it's not universally true throughout these organizations, but the folks I talk to are usually the Information Systems (IS) folks, not the Information Technology (IT). There seems to be a major difference between the two: the IS folks are interested in getting their application working, and the IT folks are interested in infrastructure. The latter are usually interested in whether applications are secure, but only rarely are the former. Since it's the IS folks who buy & deploy business applications, that's what we have the most to fear. I certainly don't think you're armchair quarterbacking... but maybe you & I are watching different games :-)
So I think training developers is mostly a waste of time &
money. We
should spend our time instead on convincing software purchasers that they should care. Then, and only then, is training developers worthwhile.
Assuming you're talking about the end-user mass market, I agree with you - and I think there isn't much we (for any appropriate value of "we") can do to convince buyers to care. If sobig and mydoom and such aren't doing it, what chance do we have? Just to be clear... I'm NOT talking about the end-user mass market. I wish I were. I'm talking about Global 2000... and that's what scares me much more. --Jeremy, speaking at most for myself, and maybe not even that
Current thread:
- Re: Is developer education a lost cause?, (continued)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)
- Re: Is developer education a lost cause? George Capehart (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Richard Moore (Jan 23)
- RE: Is developer education a lost cause? Giri, Sandeep (Jan 23)
- RE: Is developer education a lost cause? Robert Shields (Jan 23)
- Re: Is developer education a lost cause? Gary McGraw (Jan 23)
- RE: Is developer education a lost cause? Jeremy Epstein (Jan 30)
- Re: Is developer education a lost cause? der Mouse (Jan 31)
- RE: Is developer education a lost cause? Jeremy Epstein (Feb 02)
- Re: Is developer education a lost cause? jeff . williams (Feb 02)
- RE: Is developer education a lost cause? Brad Arkin (Feb 04)
- Re: Is developer education a lost cause? Chris Wysopal (Jan 23)