Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Secured by aspStation
Precedence: bulk
Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo
List-Id: Secure Coding Mailing List <sc-l.securecoding.org>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <http://www.securecoding.org/list/>
List-Unsubscribe: <http://www.securecoding.org/list/>
List-Help: <http://www.securecoding.org/list/charter.php>
List-Archive: <http://lists.virus.org>
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: moderator for [EMAIL PROTECTED]

Dana Epp wrote:

> I think we have to go one step further.
> Its nice to know what the attack patterns are. A better thing to do is
> to know how to identify them during threat modeling, and then apply
> safeguards to mitigate the risk. ie: We need a merge of thoughts from
> "Exploiting Software" and "Building Secure Software" into a single
> source... where attack and defense can be spoken about together.

I fully agree with you, Dana, and it's a good point.  That said, though,
let me just revisit the observation that I made at the beginning of this
thread.  In my discussions with a _whole bunch_* of developers, I've
noted that few of them even bother to notice security faults in software
beyond the most cursory levels.  (*No, this doesn't represent a
statistical sampling or any scientific study of any sorts; just my gut
feel.)  The observation came from noticing how few developers read, or
are even aware of the existance of things like Full-Disclosure, Bugtraq,

Gunnar Peterson noted that security is just one among many "*-ilities"
that developers have to contend with, and that makes good sense to me.

So, I guess that the real question should be, "how do we get software
developers _in general_ to sit up and notice software security?"
Training, books, etc., are well and good, but they presuppose that the
developer has already passed the first hurdle of noticing that security
is an issue.  I'm convinced that most developers will quickly understand
at least most of the issues once they start reading/learning.


Ken van Wyk
KRvW Associates, LLC

Reply via email to