> The vast majority of IT executives are unfamiliar with all of the > principles of security, firewalls, coding, whatever.
> The important thing to understand is that such principles are below > their granularity; the[y] are *right* to not care about such > principles, because they can't do anything about them. Perhaps - but then, they have to stop second-guessing the people who *do* know what they're talking about. Trying to have it both ways - management that is inexpert but nevertheless imposes their opinions on design or buying decisions - is a recipe for disaster, and, while hardly universal, is all too common. I've never understood why it is that managers who would never dream of second-guessing an electrician about electrical wiring, a construction engineer about wall bracing, a mechanic about car repairs, will not hesitate to believe - or at least act as though they believe - they know better than their in-house experts when it comes to what computer, especially software, decisions are appropriate, and use their management position to dictate choices based on their inexpert, incompletely informed, and often totally incompetent opinions. (Not just security decisions, either, though that's one of the cases with the most unfortunate consequences.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________