I think you misunderstood my points a little bit. SXSW was just a current conference example. As Gary's pointed out, there are many conferences. It's possible SXSW wasn't a good example, but it was meant more symbolically. More comments inline...
Arian J. Evans wrote: > 1. This is largely the wrong crowd. Designers of small web2.0 stuffs, > particularly the domain of widgets and WS interfaces for all the usual > suspect platforms (flickr, facebook etc.) as well as most startups: > > They just don't care. > > They will never care. > I fundamentally disagree. Everybody is the right crowd, assuming the message is tailored appropriately. It's precisely the perspective you espouse that concerns me greatly. I don't believe the security industry _as_a_whole_ has maintained momentum, and I attribute that directly to the SEP* effect. This goes directly to my larger point about ingraining security considerations/thoughtfulness/practices into all aspects of the business (not just coding, btw). *See http://en.wikipedia.org/wiki/Somebody_Else%27s_Problem_field > 2. This "security DNA" notion -- I don't really buy it. I don't think > there's a big tipping point coming for "all hands in for writing secure > software" in our near future. Maybe if people start dying because > of insecure software, this will change, but until then ... > If everyone starts coding more responsibly, then at some point the genre of "secure coding" goes away, because it's inherent in everything that's written. Today, I'd settle for all externally-facing apps being coded to address the OWASP Top 10, and to get developers to think for a change before doing silly things like implementing client-side filtering in the client code. > I do see increasing awareness is mid to large size organizations > (fortune 2000 +). Developers are more aware and more interested > in security, but mostly in organizations that penalize (fire or > domote) individuals involved in public security blunders. > Hard-earned gains. How do we institutionalize these practices and get beyond playing the role of Law Enforcement for the security department? > Overall security is not a feature or a function that you can monetarize. > It's not even cool or sexy. It's an emergent behavior that is only > observed when it is making your software harder to use. > On the first sentence, I say "yes, exactly!" On the second sentence, I couldn't disagree more. Security should not be "making your software harder to use." Address XSS, CSRF, SQL injection, and input/output filtering/encoding should not diminish the end-user experience. Things like 2-factor authentication might have that result, but we're not really talking about that right now. > Not until insurance or substantial penalties are the norm (if they are > ever the norm) will we have meaningful quantitative data to drive a > justification for security as a requirement in startup or most open > source software projects. That's my opinion, anyway. > I would really like for you to be wrong, but I can't really disagree with your base conclusion here. Hence my frustration. It provides a good case for shelving all security departments until the business starts taking major hits and they come begging for help. Honestly, I don't understand it. Businesses don't disagree that they need properly secured code/sites/etc. Yet, by the same token, they don't do what's necessary up front to secure their code/sites/etc. It's a truly bizarre disconnect that boggles my mind. Thanks for the response! :) -ben -- Benjamin Tomhave, MS, CISSP [EMAIL PROTECTED] LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] "A man without a goal is like a ship without a rudder." Thomas Carlyle _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________