I agree.

Reaching the development community, that's precisely what we are
trying to do at secappdev. Thanks for helping with that too, Ken.
I have also taken some security-related sessions to conferences such
as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU.
I would love to hear from anyone else in this niche.

kr,

Yo

On 3/12/08, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote:
> Ben,
>
> Your point is a good one -- the software security community needs to
> be vigilant in reaching out to developers and spreading "the word".
>
> FWIW, some dev conferences have done this.  I spoke at SD West in
> 2006, and there was a significant security track there.  Still, it'd
> be great to see that sort of thing at more dev-specific conferences.
>
> Cheers,
>
> Ken van Wyk
> SC-L Moderator
>
> On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:
>
> > First, thanks for that Bill, it exemplifies my point perfectly. A
> > couple
> > thoughts...
> >
> > one, targeting designers is just as important as reaching out to the
> > developers themselves... if the designers can ensure that security
> > requirements are incorporated from the outset, then we receive an
> > added
> > benefit...
> >
> > two, a re-phrasing around my original thought... somehow we need to
> > get
> > security thinking and considerations encoded into the DNA of
> > everyone in
> > the business, whether they be designers, architects, coders, analysts,
> > PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
> > could (should!) have had implicit and explicit security attributes
> > included... yet we're still at the point where secure coding has to be
> > explicitly requested/demanded (often as an afterthought or bolt-on)...
> >
> > How do we as infosec professionals get people to the next phase of
> > including security thoughts in everything they do... with the end-goal
> > being that it is then integrated fully into practices and processes
> > as a
> > bona fide genetic mutation that is passed along to future generations?
> >
> > To me, this seems to be where infosec is stuck as an industry. There
> > seems to be a need for a catalyst to spur the mutation so that it can
> > have a life of its own. :)
> >
> > fwiw.
> >
> > -ben
> >
> > --
> > Benjamin Tomhave, MS, CISSP
> > [EMAIL PROTECTED]
> > LI: http://www.linkedin.com/in/btomhave
> > Blog: http://www.secureconsulting.net/
> > Photos: http://photos.secureconsulting.net/
> > Web: http://falcon.secureconsulting.net/
> >
> > [ Random Quote: ]
> > Augustine's Second Law of Socioscience: "For every scientific (or
> > engineering) action, there is an equal and opposite social reaction."
> > http://globalnerdy.com/2007/07/18/laws-of-software-development/
> >
> > William L. Anderson wrote:
> >> Dear Ben, having just been at SXSW Interactive (I live in Austin,
> >> TX) I
> >> did not see many discussions that pay attention to security, or any
> >> other software engineering oriented concerns, explicitly.
> >>
> >> There was a discussion of scalability for web services that
> >> featured the
> >> developers from digg, Flickr, WordPress, and Media Temple. I got
> >> there
> >> about half-way through but the discussion with the audience was about
> >> tools and methods to handle high traffic loads. There was a question
> >> about build and deployment strategies and I asked about unit testing
> >> (mixed answers - some love it, some think it's strong-arm micro-mgt
> >> (go
> >> figure)).
> >>
> >> There was a session on OpenID and OAuth (open authorization)
> >> standards
> >> and implementation. These discussions kind of assume the use of
> >> secure
> >> transports but since I couldn't stay the whole time I don't know if
> >> secure coding was addressed explicitly.
> >>
> >> The main developer attendees at SXSW would call themselves
> >> designers and
> >> I would guess many of them are doing web development in PHP, Ruby,
> >> etc.
> >> I think the majority of attendees would not classify themselves as
> >> software programmers.
> >>
> >> To me it seems very much like at craft culture. That doesn't mean
> >> that a
> >> track on how to develop secure web services wouldn't be popular. In
> >> fact
> >> it might be worth proposing one for next year.
> >>
> >> If you want to talk further, please get in touch.
> >>
> >> -Bill Anderson
> >> praxis101.com
> >>
> >> Benjamin Tomhave wrote:
> >>> I had just a quick query for everyone out there, with an attached
> >>> thought.
> >>>
> >>> How many security and/or secure coding professionals are prevalently
> >>> involved with the SXSW conference this week? I know, I know...
> >>> it's a big
> >>> party for developers - particularly the Web 2.0 clique - but I'm
> >>> just
> >>> curious.
> >>>
> >>> Here's why: I'm increasingly frustrated by the disconnect between
> >>> business/dev and security. I don't feel like we're being largely
> >>> successful in getting the business and developers to include
> >>> security as
> >>> part of their standard operating procedures. Developers are still
> >>> oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
> >>> holes.
> >>>
> >>> I then look at SXSW from afar and think: a) shouldn't I be there
> >>> evangelizing security? and, b) shouldn't a major thread to all these
> >>> conferences be about how security is integrating with dev
> >>> processes and
> >>> practices, making it better?
> >>>
> >>> Maybe I'm just too idealist. I'm curious what everyone else thinks.
> >>>
> >>> cheers,
> >>>
> >>> -ben
> >>>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
>


-- 
Johan Peeters
http://johanpeeters.com
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to