WebApp Sec mailing list archives

Re: Secure Coding? Bah!

From: "Adam Tuliper" <amt () gecko-software com>
Date: Fri, 23 Jan 2004 00:08:34 -0500

oh completely agreed about training them. When I sit down with a group of
developers and show them security techniques.. they are _always_ interested.
It
just concerns me that they didn't have a clue about any of it until I told
them. Thats all my point really is. They never went out on their own to
learn it, they were
never approached to learn it, etc.


----- Original Message -----
From: "Mark Curphey" <mark () curphey com>
To: "Adam Tuliper" <amt () gecko-software com>; <webappsec () SECURITYFOCUS COM>
Sent: Thursday, January 22, 2004 11:01 PM
Subject: Re: Secure Coding? Bah!

Interesting but I have exactly the opposite opinion and experience. I know

you often get great buy in from developers interested in new techniques and
new challenges. If you approach them with a whip you have to expect a fight,
but when approached with compassion people almost always want to do the
right thing.


To use your dog analogy, if you dont train them then you will never get

better. This is like saying, my dogs always going to poop on the front step,
gotta use the back door and accept it!


Just my humble opinion ;-)

---- Adam Tuliper <amt () gecko-software com> wrote:

credentials or not.. he's right on almost every aspect.

Almost every company I've done work at had pretty insecure
code that I had to fix. I know of almost no peer developers
who are security conscious, as well as I know no developers
personally that were taught security as part of their
training.  It never ceases to amaze me how many developers
know next to nothing about writing secure code. You tell
them about a sql injection attack and they look at you like
a dog who just heard a funny noise and turns its head
sideways. Ironically the only people I know who seme to
have any idea about security are the same ones who could
hack your systems. Seems like this needs to be more two-way
knowledge but most developers just don't care.
On Thu, 22 Jan 2004 21:42:24 -0500 (EST)
 Mark Curphey <mark () curphey com> wrote:

Does anyone know of any information about this authors
credentials to make
these claims ?

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html


---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/

Current thread:

Re: Secure Coding? Bah!, (continued)
- - Re: Secure Coding? Bah! Juridian (Jan 22)
- Re: Secure Coding? Bah! David Wall @ Yozons, Inc. (Jan 22)
  - RE: Secure Coding? Bah! Taco Fleur (Jan 22)
    - RE: Secure Coding? Bah! Tim Greer (Jan 23)
    - RE: Secure Coding? Bah! Taco Fleur (Jan 23)
    - RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Chris DeVoney (Jan 22)
- Re: Secure Coding? Bah! Chris Kirschke (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
  - Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
  - RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- Re: Secure Coding? Bah! ONEILL David J (Jan 23)
  - Re: Secure Coding? Bah! Mike Hoskins (Jan 24)
- RE: Secure Coding? Bah! Robert Paris (Jan 23)
  - RE: Secure Coding? Bah! Tim Greer (Jan 24)
- RE: Secure Coding? Bah! Glenn_Everhart (Jan 23)
  - RE: Secure Coding? Bah! Dinis Cruz (Jan 25)