On Dec 3, 2007 8:34 AM, silky <[EMAIL PROTECTED]> wrote:
> how does anyone know how to hire anyone for a job that they themselves
> aren't qualified for? well, you pay professionals to do it.
> recruitment agents. this should be part of their role. and absolutely
> agreed; most certification is useless, secure programming is no
> different.

Um, have you ever dealt with a recruitment agent? How are they going
to tell? The guy had secure coding on his CV? Ok ....

A few points in general:

1 - I'm yet to meet a programmer who intentionally creates security
problems in production code. Most developers I meet are very much
interested in secure coding, so in that respect things are a lot
better than they were 5 years ago when very few people knew, and even
less cared.

Penalizing developers for writing insecure code is not the answer,
because as others have pointed out all it will do is encourage people
to cover things up and never talk about security vulnerabilities. You
have to take into account the environment in which they work, which is
most likely not conductive to producing quality output, and also that
even the best people will make mistakes.

I've heard of some companies taking the attitude that code level
security issues are OK, because it means they didn't waste too much
money on higher quality outsourced developers ... and from a security
vendor no less, whoda thunk ;-)

2 - Source code scanners still have a long way to go. I realize there
are a lot of vested interests on this list, but based on my recent
experiences with commercial scanners it is pure folly relying on them
to secure your applications. They are useful tools with a real place,
and better than previous generations, but overpriced and still of
limited value. That they are sold as "quality tools" rather than
"security tools" is telling.

Running code through 3 different scanners is great, but a) who has the
time, b) who can justify 3 different tools to management, c) who's
going to wield the rod, and d) why do you think anyone would actually
care about the rod?

3 - Taxes, government bodies, penalties, etc. all bullshit for now.
When its possible to prove a program is correct, ok, but until then
its way to fuzzy and wobbly to start throwing bureaucracy at. It would
be good to see some form of self-regulation, ideally from a credible
independent source, not a cert merchant or security services vendor.

Yours in brevity,
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to