<[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Subject: Re: [SC-L] How do we improve s/w developer awareness? Date: Mon, 15 Nov 2004 20:40:13 -0500 Organization: Aspect Security, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Secured by aspStation Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo List-Id: Secure Coding Mailing List <sc-l.securecoding.org> List-Post: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://www.securecoding.org/list/> List-Unsubscribe: <http://www.securecoding.org/list/> List-Help: <http://www.securecoding.org/list/charter.php> List-Archive: <http://lists.virus.org> Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED]
>These metrics are all well and good, but what makes you think consumers will >ever be able to care about such things? Consumers have so far only cared >about security when it directly affects them. One could argue that's how it >should be; users should never have to worry about the software they are >running because "bad" software should never get past the door of the >developers. Not to be crass, but what most consumers care about is what the vendors tell them to. It's all about the market. Currently, the market is stuck where vendors don't disclose anything about the security of their process and product, and consumers don't ask. Our job is to change the market so that it works differently. Now you can change a market with taxation, liability (see Bruce Schneier's most recent cryptogram for yet another plea), incentives, regulation, etc... One of the least intrusive models, in my view, is to ensure that everyone has the same information, and let the market sort it out. I think you're right that the information has to be appropriate for the consumer, or at least enough so that a reasonable software architect could consume it. So if that's the challenge, I'm up for it. --Jeff