On Apr 7, 2005 1:35 AM, Jeff Williams <[EMAIL PROTECTED]> wrote: > Michael, > > Don't hate the player, hate the game (quoting Ice-T).
True.. the game has let them get away with it, but IMHO the players are the ones in the best position to change how they play ;) > Developers aren't > going to just write code differently because we say so. Speaking frankly, > today there's really no incentive for them to write code securely. And no > amount of guidelines, super-complex code scanners, or jumping up and down is > going to change that. Yes, I agree I guess ... The only incentive I've found is self-respect for what you do :) > Nothing will change until we intervene in the software market in ways that > fix these problems. There are many ways that government and industry can > change the market, some more intrusive than others. Calls for a product > liabilty regime from Schneier and others are interesting, but not likely to > succeed politically. >From a government p.o.v? They don't have much of a say, do they? If companies called on vendors for contracts that specified full responsibility for security problems, that's a private issue, no? I would think this might work, but I - if I ran a software development company - would be very scared about signing that contract... Even if I did everything right, who's to say I might not get blamed? Anyway, insurance would end up being the solution. This would make it, then, compulsory for small businesses to have insurance to cover the cost of being sued by large corporations - and that amount of coverage might not be possible for small companies. > See you at OWASP England. Unfortunately not, a little bit too far for me at this time :) -- Michael > ----- Original Message ----- > From: "Michael Silk" <[EMAIL PROTECTED]> > To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> > Cc: "Secure Coding Mailing List" <SC-L@securecoding.org> > Sent: Wednesday, April 06, 2005 9:40 AM > Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? > > > Quoting from the article: > > ''You can't really blame the developers,'' > > > > I couldn't disagree more with that ... > > > > It's completely the developers fault (and managers). 'Security' isn't > > something that should be thought of as an 'extra' or an 'added bonus' > > in an application. Typically it's just about programming _correctly_! > > > > The article says it's a 'communal' problem (i.e: consumers should > > _ask_ for secure software!). This isn't exactly true, and not really > > fair. Insecure software or secure software can exist without > > consumers. They don't matter. It's all about the programmers. The > > problem is they are allowed to get away with their crappy programming > > habits - and that is the fault of management, not consumers, for > > allowing 'security' to be thought of as something seperate from > > 'programming'. > > > > Consumers can't be punished and blamed, they are just trying to get > > something done - word processing, emailing, whatever. They don't need > > to - nor should. really. - care about lower-level security in the > > applications they buy. The programmers should just get it right, and > > managers need to get a clue about what is acceptable 'programming' and > > what isn't. > > > > Just my opinion, anyway. > > > > -- Michael > > > > > > On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: > >> Greetings++, > >> > >> Another interesting article this morning, this time from eSecurityPlanet. > >> (Full disclosure: I'm one of their columnists.) The article, by Melissa > >> Bleasdale and available at > >> http://www.esecurityplanet.com/trends/article.php/3495431, is on the > >> general > >> state of application security in today's market. Not a whole lot of new > >> material there for SC-L readers, but it's still nice to see the software > >> security message getting out to more and more people. > >> > >> Cheers, > >> > >> Ken van Wyk > >> -- > >> KRvW Associates, LLC > >> http://www.KRvW.com > >> > > > > > >