On 11/7/06, Wall, Kevin <[EMAIL PROTECTED]> wrote: > > Developers have to cut corners somewhere, and since security issues > are not paramount, that's often what gets overlooked. >
this is the biggest issue i think. it gets overlooked because management dont value it. partly because its expensive to do, and theres no real qualitative or quantitative measures of success. you cant go to your management and say "i spent 20% of my time working on security issues, it cost us $x but it will save our customers $y, and security was improved by 15%" or if you can, you're bullshitting, but will probably get a nice bonus :) i think a college level textbook would have limited benefit. there is plenty of information out there at the moment for those who are interested, both on the net and in book form. i suppose its nice to have a single point of reference though. however, most graduates aren't really good practical programmers. they know stuff like what a for loop is and how recursion works, which is great, but they learn the ins and outs of developing when they get their first real job. so they get their first job, and basically learn from the people they're working with. the people they're working with and learning from are busy, and working under time and budget constraints. they're just not going to focus on security, even if they had the knowledge to do it effectively, because other things are more important to the companies management. most managers (and developers too i guess) do care about security, but only in the way people care about global warming. they know global warming is bad, but oh gee what are we going to do, oh today i remembered to turn off my desk lamp when i left the office. great. same with security, you dont have to be a genius to work out security holes are bad, but oh gee what are you actually going to do about it? if organisations dont really care about software security, a security concious developer faces an uphill battle. if two devs are working on some code, one does it slower but more securely, the other does it quicker but less securely, who's going to look better, in a typical organisation? your fresh grad is going to learn quick enough what companies want from them. as time goes by, they become the ones breaking in the new developers, so the cycle continues. a book isnt going to help this, it probably wont hurt, but i dont think the lack of available literature is a big problem. a good organisation will focus on what its customers want. untill the customers start kicking up a storm about vulnerabilities, there's little impetus for management to devote resources to security. i think this is one of the things microsoft has done well, over the last few years they have started taking security seriously, and i can only assume its because their customers starting complaining. they still have a lot of security issues (an insuperable amount imo), but it shows that for companies to start taking software security seriously, it has to be something the customer wants. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php