[Apologies for this reply being a bit behind the discussion - I originally
submitted it from a different
e-mail account than the one I subscribed with, and so it sailed off to
/dev/null.]
On Wed Jun 6 18:59 , "Michael Silk" [EMAIL PROTECTED]> sent:
>On 6/7/07, McGovern, James F (HTSC, IT) [EMAIL PROTECTED]> wrote:
>> I really hope that this email doesn't generate a ton of offline emails and
>> hope that folks will
>> talk publicly. It has been my latest thinking that the value of tools in
>> this space are not really
>> targeted at developers but should be targeted at executives who care about
>> overall quality
>> and security folks who care about risk. While developers are the ones to
>> remediate, the
>> accountability for secure coding resides elsewhere.
>
>and that's the problem. the accountability for insecure coding should
>reside with the developers. it's their fault [mostly].
I started to look through the ACM Code Of Ethics (COE) to see what it says
about this. ACM has
a general COE:
http://www.acm.org/constitution/code.html
and one for Software Engineering and Professional Practice:
http://www.acm.org/serving/se/code.htm
I glanced through them fairly quickly, but neither appears to specifically
address secure coding.
Reading through both it seems to me that the spirit of both of these COE
documents is that everyone
involved in the production of software (including developers and managers) has
an obligation to
ensure the quality/reliability/safety of the software. (It would be
interesting to look at other professional
organizations' COEs too.)
This makes sense to me. If only developers are held responsible, then it is
too easy for management to make
the work environment difficult for developers who sweat code security, and then
wash their hands of it.
Similarly, if only the managers are responsible, the developers can take
shortcuts to meet deadlines and
avoid responsibility if the software breaks. If everybody has a stake in the
security of the software, maybe
it will happen.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
