But, if you get the ideas in front of the C-Suite folks and it resonates, then they push it down the lines in their organization where, one hopes, those who should pay attention will pay attention. Awareness, I would think, is what matters.
My $0.02 for the week. Bernie ==================== Bernie Rosen Director, Juniper SIRT 1-408-936-4809 Direct 1-650-714-8255 Mobile ==================== -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crispin Cowan Sent: Thu 15 Nov 2007 12:29 To: McGovern, James F (HTSC, IT) Cc: Secure Coding Subject: Re: [SC-L] OWASP Publicity McGovern, James F (HTSC, IT) wrote: > I have observed an interesting behavior in that the vast majority of > IT executives still haven't heard about the principles behind secure > coding. My take says that we are publishing information in all the > wrong places. IT executives don't really read ACM, IEEE or other the > sporadic posting from bloggers but they do read CIO, Wall Street > Journal and most importantly listen to each other. > > What do folks on this list think about asking the magazines and > newspapers to publish? I am willing to gather contact information of > news reporters and others within the media if others are willing to > amplify the call to action in terms of contacting them. > The vast majority of IT executives are unfamiliar with all of the principles of security, firewalls, coding, whatever. The important thing to understand is that such principles are below their granularity; then are *right* to not care about such principles, because they can't do anything about them. Their granularity of decision making is which products to buy, which strategies to adopt, which managers to hire and fire. Suppose they did understand the principles of secure coding; how then would they use that to decide between firewalls? Web servers? Application servers? If anything, the idea that needs to be pitched to IT executives is to pay more attention to "quality" than to shiny buttons & features. But there's the rub, what is "quality" and how can an IT executive measure it? I have lots of informal metrics that I use to measure quality, but they largely amount to synthesized reputation capital, derived from reading bugtraq and the like with respect to how many vulnerabilities I see with respect to a given product, e.g. Qmail and Postifx are extremely secure, Pidgin not so much :) But as soon as we formalize anything like this kind of metric, and get executives to start buying according to it, then vendors start gaming the system. They start developing aiming at getting the highest whatever-metric score they can, rather than for actual quality. This happens because metrics that approximate quality are always cheaper to achieve than actual quality. This is a very, very hard problem, and sad to say, but pitching articles articles on principles to executives won't solve it. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin CEO, Mercenary Linux http://mercenarylinux.com/ Itanium. Vista. GPLv3. Complexity at work _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________