Secure Coding mailing list archives
Perspectives on Code Scanning
From: coley at linus.mitre.org (Steven M. Christey)
Date: Thu, 7 Jun 2007 01:36:20 -0400 (EDT)
On Thu, 7 Jun 2007, Michael Silk wrote:
and that's the problem. the accountability for insecure coding should reside with the developers. it's their fault [mostly].
The customers have most of the power, but the security community has collectively failed to educate customers on how to ask for more secure software. There are pockets of success, but a whole lot more could be done.
From a developer-focused perspective, we need to deal with (1) ensuring
that developers KNOW how to produce secure code (or interpret tool results), but then (2) actually produce the secure code within given deadlines. I know that (2) is a common topic on this list, but deadlines won't change until customers force the issue, which currently requires weaning them from featuritis, which has such low prospects of success that it's starting to depress me, so I'll stop and we've talked about this before anyway.
It would seem to be that tools that developers plug into their IDE should be free since the value proposition should reside elsewhere.
I personally love this sentiment, but that's not how the current market is working, and I'm not sure how it would shift to that point. There might be lessons from the anti-virus community's long history (nowadays mostly covering the same stuff usin a subscription model, but they still compete on speed more than quality of information to the end user). I don't know what the vuln scanning tool indusry is up to these days (Nessus, Retina, etc.) but I do know that management-friendly reporting was the bane of that technology's existence for years. - Steve
Current thread:
- IBM to catch Watchfire security technology | Tech News on ZDNet Kenneth Van Wyk (Jun 06)
- Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 06)
- Perspectives on Code Scanning Michael Silk (Jun 06)
- Perspectives on Code Scanning Steven M. Christey (Jun 06)
- Perspectives on Code Scanning Michael S Hines (Jun 07)
- Perspectives on Code Scanning der Mouse (Jun 07)
- Perspectives on Code Scanning Shea, Brian A (Jun 07)
- Perspectives on Code Scanning der Mouse (Jun 07)
- Perspectives on Code Scanning Michael Silk (Jun 06)
- Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 13)
- Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 06)
- Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 07)
- Perspectives on Code Scanning Gunnar Peterson (Jun 07)
- Perspectives on Code Scanning Michael Silk (Jun 07)
- Perspectives on Code Scanning McGovern, James F (HTSC, IT) (Jun 07)