Figured I would ask the list for their perspective on why the adoption
of secure coding practices is so slow.

Generally speaking, not a day goes by where multiple software vendors
will email, snail mail, phone, etc their value proposition to some
problem in the world of security. They usually do a good job in terms of
identifying common gaps across enterprises yet have no clue as to
whether this gap is important to the enterprise to close.

If I were to ask my colleagues to enumerate gaps, I suspect it would be
too difficult to compose a list of several hundred distinct gaps in the
security space. The issue at hand is not whether the gap exists, whether
there are solutions to close it but one of which gaps are most important
to close.

Likewise, industry analysts do a great job of comparing products within
a domain. They will compare Fortify to Ounce Labs and so on. The thing
that is missing is how "should" secure coding compare to say identity
management or entitlements management or user-centric identity or
protecting against the insider threat and so on.

In some enterprises, the constraint for closing gaps can be funding
while pretty much in all enterprises the constraint in terms of closing
gaps is having the right resources. While everything is important, how
should one determine what is more important?

If we believe that secure coding is more important than how do we
collectively not only talk about it amongst ourselves but also get
industry analysts to also start saying it is more important vs resorting
to product comparisons. Likewise, magazines should also take a similar
approach. After all, many folks on this list understand that the vast
majority of decision makers nowadays don't necessarily come from a
technical background and at some level practice Management by Magazine
and therefore we should help them to be successful...

This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to