McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes:

 > the value of tools in this space are not really targeted at developers
 > but should be targeted at executives who care about overall quality and
 > security folks who care about risk. While developers are the ones to
 > remediate, the accountability for secure coding resides elsewhere.

Sort of.  There are multiple levels of accountability.  As has been said here 
many times: the developers should be held accountable for producing secure 
software, but the management must give them the time and tools to do so, and 
management usually places far higher priority on things like ease of use and 
especially on time to market.

 > It would seem to be that tools that developers plug into their IDE should
 > be free since the value proposition should reside elsewhere. Many of these
 > tools provide "audit" functionality and allow enterprises to gain a view
 > into their portfolio that they previously had zero clue about and this is
 > where the value should reside.

Heh.  Yeah, I'd like to see some executive dashboard saying things like whose 
code currently generates the most warnings, especially if those warnings are 
from security analysis tools.  B-)  Of course, most executives won't bother 
looking at something that "techy", let alone understand the significance.  B-(

 > If there is even an iota of agreement, wouldn't it be in the best interest
 > of folks here to get vendors to ignore developer specific licensing and
 > instead focus on enterprise concerns?

Unfortunately, that often means that ANY license at all for it will be 
horrendously expensive, so that small shops are totally cut out.


Dave Aronson
"Specialization is for insects."  -Heinlein

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to