I really hope that this email doesn't generate a ton of offline emails and hope 
that folks will talk publicly. It has been my latest thinking that the value of 
tools in this space are not really targeted at developers but should be 
targeted at executives who care about overall quality and security folks who 
care about risk. While developers are the ones to remediate, the accountability 
for secure coding resides elsewhere.

It would seem to be that tools that developers plug into their IDE should be 
free since the value proposition should reside elsewhere. Many of these tools 
provide "audit" functionality and allow enterprises to gain a view into their 
portfolio that they previously had zero clue about and this is where the value 
should reside.

If there is even an iota of agreement, wouldn't it be in the best interest of 
folks here to get vendors to ignore developer specific licensing and instead 
focus on enterprise concerns?

This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to