The vast majority of IT executives are unfamiliar with all of the
principles of security, firewalls, coding, whatever.

Are they unfamiliar because of background or they feel that their staff
has a handle on it and therefore don't need to pay much atention to it.
Both have different characteristics in terms of getting the word out.

The important thing to understand is that such principles are below
their granularity; then are *right* to not care about such principles,
because they can't do anything about them. Their granularity of decision
making is which products to buy, which strategies to adopt, which
managers to hire and fire. Suppose they did understand the principles of
secure coding; how then would they use that to decide between firewalls?
Web servers? Application servers?

Executives don't need to care about the details but they can care enough
to embrace the notion of procuring secure software. They can care about
the fact that much of their code that they outsource doesn't have any
metrics attached to them and that acceptance shouldn't be on meeting
functionality alone.

If anything, the idea that needs to be pitched to IT executives is to
pay more attention to "quality" than to shiny buttons & features. But
there's the rub, what is "quality" and how can an IT executive measure

The best way for IT executives to measure things are metrics that
indicate a trend. Regardless of what they decide to measure, it should
trend positive.

I have lots of informal metrics that I use to measure quality, but they
largely amount to synthesized reputation capital, derived from reading
bugtraq and the like with respect to how many vulnerabilities I see with
respect to a given product, e.g. Qmail and Postifx are extremely secure,
Pidgin not so much :)

But as soon as we formalize anything like this kind of metric, and get
executives to start buying according to it, then vendors start gaming
the system. They start developing aiming at getting the highest
whatever-metric score they can, rather than for actual quality. This
happens because metrics that approximate quality are always cheaper to
achieve than actual quality.

This is a very, very hard problem, and sad to say, but pitching articles
articles on principles to executives won't solve it.

My notion wasn't just pitching to them as this is what has occured to
date. I was also suggesting that the media take on secure coding has to
go well beyond the frequent consultant and vendor types that post here.
If you think for a moment about other successful marketing campaigns in
IT such as CMMi, ITIL, etc, the vast majority of executives know and
embrace it but can't tell you who even invented it as the community let
it grow past the founding members. We haven't yet came to same
realization here...


Crispin Cowan, Ph.D.     
CEO, Mercenary Linux     
               Itanium. Vista. GPLv3. Complexity at work

This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to