> and that's the problem. the accountability for insecure coding should > reside with the developers. it's their fault [mostly].
I find it fascinating that an industry like security, that has delivered a grand total of TWO working mechanisms[1] over several decades of effort, is so willing to throw others under the bus. Methinks they doth protesteth too much and all that... Instead it would be more productive for security to roll up their collective sleeves and help build better tools and services. 1. Get proactively involved in the SDL, tomorrow if not sooner: http://www.cigital.com/justiceleague/2007/05/24/sdlc-on-the-shoulders-of-gia nts/ 2. Make sure that involvement is pragmatic, and helps the enterprise make the hard decisions to improve things instead of standard IT Security CYA: http://1raindrop.typepad.com/1_raindrop/2007/06/cost_effective_.html -gp 1. "one being the reference monitor and the other crypto" blaine burnham _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
