Found on the web -- local boy makes good: Review by Ross Anderson
to appear in Jan/Feb 2007 IEEE S&P Magazine Gary McGraw, "Software Security - Building Security In" Addison-Wesley, 2006 `We must first agree that software security is not security software', writes Gary McGraw in the first chapter of his new book. Spot on! Things break because software is just about everywhere, and we rely on it for just about everything; we had software before the Internet, but we couldn't have the Internet until there was software. Software has bugs, and some of them cause vulnerabilities. Trying to compensate for bugs by adding a layer of special security software can only get you so far - often not far enough. But how can you train programmers to stop writing vulnerabilities? The explosion of the software industry over the past fifty years has created far more programming jobs than there are CS graduates to fill them. Most of my teenage contemporaries who studied science subjects - any science, from physics to geology to physiology - ended up writing code of one kind or another. Having run out of trainable people in the USA and Europe, we now have hundreds of thousands of folks in the developing world writing code. And as processors and communications spread from office equipment to domestic appliances and eventually to most inedible things costing more than a few dollars, the software quality gap can only get worse. So people who understand security and know how to write have an opportunity - one might even say a duty - to try to close this gap. ... http://www.swsec.com/press/ra-ieeesp.php -gp _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php