I was thinking about something that Dave Winer said on the Gillmor Gang about how the software industry moves forward when small groups (like 1 or 2) of developers get motivated to solve a problem. I was wondering how this applies to software security, since it seems like a perfect description for what seems to have motivated Phil Zimmermann to write PGP.
In information security, we seem to have a preponderance of ideas and technologies from vendors and academia, but relatively less (compared to the software space) amount of grassroots efforts by small groups of developers making incremental improvements. There are probably a couple of reasons for this, first security tends to be a system property, so it can be difficult to deal with this incrementally. Secondly, security is sort of invisble, e.g. in normal app development work you code a lot and then *something* happens, your web server is suddenly multithreaded and can handle tons more volume of requests. In security, you work really hard, write a lot of code and then something doesn't happen. Does anyone have candidates for grassroots efforts targeted at software security and secure coding? Not necessarily required to be open source (though I would expect most of them to be), but a low barrier to entry for developers to use, e.g. free. I have started a list including: * mod_security * RATS * OWASP (Standards and tools) * Legion of the Bouncy Castle * Microsoft's Threat Modeling Tool Any other nominations? -gp
