Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not 
see many 
discussions that pay attention to security, or any other software engineering 
oriented concerns, 

There was a discussion of scalability for web services that featured the 
developers from digg, 
Flickr, WordPress, and Media Temple. I got there about half-way through but the 
discussion with 
the audience was about tools and methods to handle high traffic loads. There 
was a question 
about build and deployment strategies and I asked about unit testing (mixed 
answers - some love 
it, some think it's strong-arm micro-mgt (go figure)).

There was a session on OpenID and OAuth (open authorization) standards and 
implementation. These 
discussions kind of assume the use of secure transports but since I couldn't 
stay the whole time 
I don't know if secure coding was addressed explicitly.

The main developer attendees at SXSW would call themselves designers and I 
would guess many of 
them are doing web development in PHP, Ruby, etc. I think the majority of 
attendees would not 
classify themselves as software programmers.

To me it seems very much like at craft culture. That doesn't mean that a track 
on how to develop 
secure web services wouldn't be popular. In fact it might be worth proposing 
one for next year.

If you want to talk further, please get in touch.

-Bill Anderson

Benjamin Tomhave wrote:
> I had just a quick query for everyone out there, with an attached thought.
> How many security and/or secure coding professionals are prevalently
> involved with the SXSW conference this week? I know, I know... it's a big
> party for developers - particularly the Web 2.0 clique - but I'm just
> curious.
> Here's why: I'm increasingly frustrated by the disconnect between
> business/dev and security. I don't feel like we're being largely
> successful in getting the business and developers to include security as
> part of their standard operating procedures. Developers are still
> oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection holes.
> I then look at SXSW from afar and think: a) shouldn't I be there
> evangelizing security? and, b) shouldn't a major thread to all these
> conferences be about how security is integrating with dev processes and
> practices, making it better?
> Maybe I'm just too idealist. I'm curious what everyone else thinks.
> cheers,
> -ben
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to