Wonder what happens if we apply that same logic to building design or bridge design and contstruction?
Those who don't place blame at the source are just trying to blame shift. Bad idea.. Mike Hines ----------------------------------- Michael S Hines [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk Sent: Wednesday, April 06, 2005 8:40 AM To: Kenneth R. van Wyk Cc: Secure Coding Mailing List Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from the article: ''You can't really blame the developers,'' I couldn't disagree more with that ... It's completely the developers fault (and managers). 'Security' isn't something that should be thought of as an 'extra' or an 'added bonus' in an application. Typically it's just about programming _correctly_! The article says it's a 'communal' problem (i.e: consumers should _ask_ for secure software!). This isn't exactly true, and not really fair. Insecure software or secure software can exist without consumers. They don't matter. It's all about the programmers. The problem is they are allowed to get away with their crappy programming habits - and that is the fault of management, not consumers, for allowing 'security' to be thought of as something seperate from 'programming'. Consumers can't be punished and blamed, they are just trying to get something done - word processing, emailing, whatever. They don't need to - nor should. really. - care about lower-level security in the applications they buy. The programmers should just get it right, and managers need to get a clue about what is acceptable 'programming' and what isn't. Just my opinion, anyway. -- Michael On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: > Greetings++, > > Another interesting article this morning, this time from eSecurityPlanet. > (Full disclosure: I'm one of their columnists.) The article, by Melissa > Bleasdale and available at > http://www.esecurityplanet.com/trends/article.php/3495431, is on the general > state of application security in today's market. Not a whole lot of new > material there for SC-L readers, but it's still nice to see the software > security message getting out to more and more people. > > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com >