Re: Secure Coding? Bah!

[Mark Curphey <mark () curphey com>]

Great reply and I agree with all you say. 

Rather than his credentials, I think I really meant "the credentials".

Whats the statement based on? Where are the facts to support such a strong view? How did he arrive at that conclusion?

There is no doubt business leaders care about money. A XSS issue for a big high street financial services company prob 
costs around $250,000 (internal costs) to deal with (start to close). Incident response, code fix, test, pre-prod, 
prod, legal advice, enhanced monitoring, press monitoring, corporate communications preparation, regulatory authorities 
notified, de-briefs. 

You know what, business people know that !

Another thing a business leader would tell you is there is no upside there !

<To quote:>
Case in point: Microsoft spent $200 million retraining its programmers in secure coding principles. That may help 
reduce some brain-dead programming oversights down the line, but does anybody really think this will make Windows 
magically secure?
</To quote:>

Firstly perhaps the author can send me a brain-dead programming oversight in the language of his choice (English does 
not count btw) so I can understand an example he is referring to. I dont think the Windows Security Initiatve is about 
brain dead programming oversights !

Magically secure: Not sure where that expectation ever came in but it certianly not mine. You have to give MS credit 
for taking the bull by the horns and dealing with the problem. Nothings going to change overnight but if you shoot for 
the stars you often end up with your head in the nice bright blue sky. There is a serious program in place, lots of 
great documentation coming out of the MS team about building security applications (especially when compared to Sun 
these days). It gives me more confidence. Enough, not yet but its getting better ! I bet beers well start to see issues 
that Windows will be immune to soon and other OS's will have to deal with. Its all too easy to bash MS. 

I am just glad hes not in charge of security at any sites I use !

Personally I have stopped subscribing to all of the trade press now. Its all so out of sync with what I see in the 
field and the views are IMHO so sensationalized or have such a marketing bias, it was just more waste that has no value.



---- "David Wall @ Yozons, Inc." <dwall () yozons com> wrote:
> > Does anyone know of any information about this authors credentials to make
> > these claims ?
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html
>
> Not to be flippant, but what credentials would be needed?  He claims to have
> a CISSP certification, though.  Overall, the claim seems rather silly and
> pointless, as if driving safer "is not going to happen" so there's no need
> to teach it.
>
> Personally, I work in industry, but while I'm not an "industry leader," I
> know that there are many businesses that take security seriously when it
> comes to creating software.  I'll grant that we could have better tools to
> assess our progress, but one way we make more money is by providing a secure
> solution to our customers.  That's our business, though.  I've found similar
> concerns when dealing with IT in telecom, health, banking and brokerage
> firms.  One solution they use is outsourcing or purchasing software that
> already has a focus on security.
>
> As for academia, I don't think "matriculating Ph.D.s" is required since
> DePaul University and California State University both offer
> security-related courses.
>
> In the end, security is a trade off game.  Nothing has to be 100% secure,
> just secure enough to do business.  Maybe Mr. Briney is a purist, so he find
> no benefit in getting better at security without having total security.
> Starbucks doesn't put metal detectors and armed guards in its stores, not
> because they don't care about security, but because the costs are higher
> than the benefits, including alienating their customers.  I think the same
> is true for software.  Good software is designed with security in mind from
> the get go, and many companies realize that good security makes for a better
> product.  After all, nobody wants their product to be victimized in the
> public's eye!
>
> David
> ---------------------------------------------
> David A. E. Wall
> Chief Software Architect
> Yozons, Inc.
> Kirkland, Washington USA
> Tel 425.822.4465    david.wall () yozons com
> Fax 425.827.9415    www.yozons.com
> Cell 425.985.6519
>
> Yozons Signed & Secured - A secure document delivery, electronic signature,
> spam-free, virus-free business private network
>     - Used and proven by many in the Fortune 500
>     - Low cost, hosted solutions for smaller businesses