Secure Coding mailing list archives

Re: How do we improve s/w developer awareness?

From: Gunnar Peterson <gunnar () arctecgroup net>
Date: Thu, 11 Nov 2004 21:38:38 +0000

I agree. In general "classic" IT Security types are too focused on the problem
and not focused enough on the solution side of the equation. Development is in
many cases simply blissfully unaware of real security or thinks its someone
else's job. In terms of dealing with developers and getting them to care,
Gary's books and Secure Coding are excellent resources for motivated
developers. I think it is important to understand that there a lot of problems
with software, not just security problems. Studying how, say, usability
architects approach software problems is instructive in how security personnel
may effectively engage developers. If you read this thread from Edward Tufte's
site, then you see that leading usability people have no more easy answers than
software security people:

http://www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=0000D8&topic_id=1&topic=Ask%20E%2eT%2e

If we say that the value of software is tied to how usable, reliable and secure
the software is, then how do we get developers to care about *-ility?

*-ilities unite!

-gp

Quoting "Kenneth R. van Wyk" <[EMAIL PROTECTED]>:

Greetings,

In my business travels, I spend quite a bit of time talking with Software
Developers as well as IT Security folks.  One significant different that I've
found is that the IT Security folks, by and large, tend to pay a lot of
attention to software vulnerability and attack information while most of the
Dev folks that I talk to are blissfully unaware of the likes of
Full-Disclosure, Bugtraq, PHRACK, etc.  I haven't collected any real stats,
but it seems to me to be at least a 90/10% and 10/90% difference.  (Yes, I
know that this is a gross generalization and there are no doubt significant
exceptions, but...)

I believe that this presents a significant hurdle to getting Dev folks to
care
about Software Security issues.  Books like Gary McGraw's Exploiting Software
do a great job at explaining how software can be broken, which is a great
first step, but it's only a first step.

Am I alone in this opinion or have others noticed the same sort of thing?
It's going to be a long, slow battle, in my opinion.

Cheers,

Ken
--
KRvW Associates, LLC
http://www.KRvW.com

Current thread:

How do we improve s/w developer awareness? Kenneth R. van Wyk (Nov 11)
- Re: How do we improve s/w developer awareness? ljknews (Nov 11)
  - Re: How do we improve s/w developer awareness? Paco Hope (Nov 11)
    - Re: How do we improve s/w developer awareness? ljknews (Nov 12)
    - Re: How do we improve s/w developer awareness? M Taylor (Nov 12)
    - Re: How do we improve s/w developer awareness? ljknews (Nov 12)
- Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 11)
- Re: How do we improve s/w developer awareness? George Capehart (Nov 29)
  - Re: How do we improve s/w developer awareness? Greenarrow 1 (Nov 29)
- <Possible follow-ups>
- Re: How do we improve s/w developer awareness? Yousef Syed (Nov 12)
  - Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
    - Re: How do we improve s/w developer awareness? Jeff Williams (Nov 12)
    - Re: How do we improve s/w developer awareness? Gunnar Peterson (Nov 12)
    - RE: How do we improve s/w developer awareness? Aleksander P. Czarnowski (Nov 14)
    - Re: How do we improve s/w developer awareness? Nick Murison (Nov 16)
  - Message not available
    - Choices Crispin Cowan (Nov 16)
    - Re: Choices Nick Murison (Nov 16)

(Thread continues...)