McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes:
> the value of tools in this space are not really targeted at developers > but should be targeted at executives who care about overall quality and > security folks who care about risk. While developers are the ones to > remediate, the accountability for secure coding resides elsewhere. Sort of. There are multiple levels of accountability. As has been said here many times: the developers should be held accountable for producing secure software, but the management must give them the time and tools to do so, and management usually places far higher priority on things like ease of use and especially on time to market. > It would seem to be that tools that developers plug into their IDE should > be free since the value proposition should reside elsewhere. Many of these > tools provide "audit" functionality and allow enterprises to gain a view > into their portfolio that they previously had zero clue about and this is > where the value should reside. Heh. Yeah, I'd like to see some executive dashboard saying things like whose code currently generates the most warnings, especially if those warnings are from security analysis tools. B-) Of course, most executives won't bother looking at something that "techy", let alone understand the significance. B-( > If there is even an iota of agreement, wouldn't it be in the best interest > of folks here to get vendors to ignore developer specific licensing and > instead focus on enterprise concerns? Unfortunately, that often means that ANY license at all for it will be horrendously expensive, so that small shops are totally cut out. -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
