Re: Is developer education a lost cause?

[jeff.williams () aspectsecurity com]

Jeremy,

You just can't be right ;-)

It's not because customers don't care, but because there's no good way for
them to tell a secure product from snakeoil. This is a classic market
failure -- asymmetric information between buyers and sellers. You should
read "The Market for Lemons" which won George Akerlof the Nobel Prize for
Economics (see http://en.wikipedia.org/wiki/The_Market_for_Lemons).  In it,
Akerlof describes how even a market with adequate supply and demand can
break down in the face of asymmetric information.

"The paper describes the secondhand market for used cars. Some cars are in
good working order  -- these are referred to as jewels; Some have hidden
defects -- these are called lemons. Yet because buyers don't know which cars
are the lemons -- in this asymmetric market -- the market price of even a
good car decreases. Thus, sellers of good cars are less economically
inclined to sell their cars, and a rational market will only be filled with
bad cars."

Sound familiar? The software market is filled with bad software because it
is very difficult to tell which applications are lemons. The only way out of
this trap is to make it easier to tell insecure apps from secure ones. I
hate to say it, but this kind of market failure may require some form of
government intervention -- tort claims, tax incentives, mandatory
disclosure, or something. Oh, and the Common Criteria ain't it.

Okay, so maybe you're right for the wrong reason. If we want more secure
code, we better fix the "security information" market first. We need to
shoot for a "fair" information market where everyone has the same
information. Then market forces actually work for security. Only then does
developer education become critical.

For now, only isolated pockets of software development that are shielded
somehow from this market failure will be very interested in security
training. They *do* exist sporadically in the Global2000 and DoD, in
projects like sensitive intranet web apps/services and high profile internet
web applications. They take our classes and we're helping them improve their
SDLC so it produces secure code.

--Jeff

Jeff Williams
Aspect Security
http://www.aspectsecurity.com


----- Original Message -----
From: Jeremy Epstein
To: der Mouse ; [EMAIL PROTECTED]
Sent: Monday, February 02, 2004 9:29 AM
Subject: RE: [SC-L] Is developer education a lost cause?


Glad to see someone is taking my bait :-)


-----Original Message-----
From: der Mouse [mailto:[EMAIL PROTECTED]
Sent: Friday, January 30, 2004 5:57 PM
To: [EMAIL PROTECTED]
Subject: Re: [SC-L] Is developer education a lost cause?


> I believe that developer education is a lost cause.  [...]  It's
> because customers don't care.
> [...]

Actually, I think this is only partially true.  It's certainly true in
the mass-market end-user millions-of-copies world, but I believe it is
much less true - perhaps to the point of being false - in the
higher-end market where you expect to sell perhaps a few dozen copies.
My contact with that market is minimal, but I did once work at a
company that aimed at it. so this opinion is not _total_ armchair
quarterbacking.


I guess we all have our limited subsets of customers.  I talk to high end
customers (Global 2000), and this is what I see.  I'm sure it's not
universally true throughout these organizations, but the folks I talk to are
usually the Information Systems (IS) folks, not the Information Technology
(IT).  There seems to be a major difference between the two: the IS folks
are interested in getting their application working, and the IT folks are
interested in infrastructure.  The latter are usually interested in whether
applications are secure, but only rarely are the former.  Since it's the IS
folks who buy & deploy business applications, that's what we have the most
to fear.

I certainly don't think you're armchair quarterbacking... but maybe you & I
are watching different games :-)


> So I think training developers is mostly a waste of time &
money.  We
> should spend our time instead on convincing software purchasers that
> they should care.  Then, and only then, is training developers
> worthwhile.

Assuming you're talking about the end-user mass market, I agree with
you - and I think there isn't much we (for any appropriate value of
"we") can do to convince buyers to care.  If sobig and mydoom and such
aren't doing it, what chance do we have?


Just to be clear... I'm NOT talking about the end-user mass market.  I wish
I were.  I'm talking about Global 2000... and that's what scares me much
more.

--Jeremy, speaking at most for myself, and maybe not even that