In a previous thread someone appropriately commented that perspectives in this space differ depending upon whether you are a software vendor, government customer or enterprise. I do not disagree that developers need to know how to fix their code. What I am saying is that tools to assist developers in writing better could should be free.
Your quote "*imho* vendor has to follow developer licensing" is where I think it will harm the goals of secure coding at large. Consider the trend within the industry that tools for software development are essentially becoming free. No one pays for IDEs (rare exceptions) when things like Eclipse and Visual Studio have free versions. Enterprise folks however will pay lots of money for tools in the auditing space that help them to quantify risk. The ability to scan large multiple code bases is a different product/problem than scanning while writing code in an IDE. I am saying that more money could be had if folks focus on the first and not the later. Vendors who get it twisted by focusing on the number of developers are dillusional and should ask themselves why aren't but a select few of any enterprise pervasively deploying tools to developers. Give away the developer tools in the same way Microsoft does and you will accelerate your potential sales from the bottom up. Not all sales within places are driven top down... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paolo Perego Sent: Friday, June 08, 2007 5:40 AM To: McGovern, James F (HTSC, IT) Cc: Secure Coding Subject: Re: [SC-L] Perspectives on Code Scanning Hi there, I found this thread very interesting. It's true that developers are the ones who remediate to code insecurity and executives care about how much effort has to be spent over closing branches. Indeed I think the two categories needs a tool approaching the same problem (tell if a code follows security best practices or not) showing results in 2 "different" languages. Developers need how to know how to fix their code. Executives need to know how much these fixes cost, who will attend them and in how many time fixes will be committed. *imho* vendor has to follow developer licensing... since developer do knows ho to write code but he has to be helped in writing it in a secure way. Safe coding is a concern for both developers than executives. My 2 euro cents Ciao ciao thesp0nge -- Owasp Orizon leader orizon.sourceforge.net _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
