I agree. Reaching the development community, that's precisely what we are trying to do at secappdev. Thanks for helping with that too, Ken. I have also taken some security-related sessions to conferences such as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU. I would love to hear from anyone else in this niche.
kr, Yo On 3/12/08, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > Ben, > > Your point is a good one -- the software security community needs to > be vigilant in reaching out to developers and spreading "the word". > > FWIW, some dev conferences have done this. I spoke at SD West in > 2006, and there was a significant security track there. Still, it'd > be great to see that sort of thing at more dev-specific conferences. > > Cheers, > > Ken van Wyk > SC-L Moderator > > On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote: > > > First, thanks for that Bill, it exemplifies my point perfectly. A > > couple > > thoughts... > > > > one, targeting designers is just as important as reaching out to the > > developers themselves... if the designers can ensure that security > > requirements are incorporated from the outset, then we receive an > > added > > benefit... > > > > two, a re-phrasing around my original thought... somehow we need to > > get > > security thinking and considerations encoded into the DNA of > > everyone in > > the business, whether they be designers, architects, coders, analysts, > > PMs, sysadmins, etc, etc, etc. Every one of those topics you mention > > could (should!) have had implicit and explicit security attributes > > included... yet we're still at the point where secure coding has to be > > explicitly requested/demanded (often as an afterthought or bolt-on)... > > > > How do we as infosec professionals get people to the next phase of > > including security thoughts in everything they do... with the end-goal > > being that it is then integrated fully into practices and processes > > as a > > bona fide genetic mutation that is passed along to future generations? > > > > To me, this seems to be where infosec is stuck as an industry. There > > seems to be a need for a catalyst to spur the mutation so that it can > > have a life of its own. :) > > > > fwiw. > > > > -ben > > > > -- > > Benjamin Tomhave, MS, CISSP > > [EMAIL PROTECTED] > > LI: http://www.linkedin.com/in/btomhave > > Blog: http://www.secureconsulting.net/ > > Photos: http://photos.secureconsulting.net/ > > Web: http://falcon.secureconsulting.net/ > > > > [ Random Quote: ] > > Augustine's Second Law of Socioscience: "For every scientific (or > > engineering) action, there is an equal and opposite social reaction." > > http://globalnerdy.com/2007/07/18/laws-of-software-development/ > > > > William L. Anderson wrote: > >> Dear Ben, having just been at SXSW Interactive (I live in Austin, > >> TX) I > >> did not see many discussions that pay attention to security, or any > >> other software engineering oriented concerns, explicitly. > >> > >> There was a discussion of scalability for web services that > >> featured the > >> developers from digg, Flickr, WordPress, and Media Temple. I got > >> there > >> about half-way through but the discussion with the audience was about > >> tools and methods to handle high traffic loads. There was a question > >> about build and deployment strategies and I asked about unit testing > >> (mixed answers - some love it, some think it's strong-arm micro-mgt > >> (go > >> figure)). > >> > >> There was a session on OpenID and OAuth (open authorization) > >> standards > >> and implementation. These discussions kind of assume the use of > >> secure > >> transports but since I couldn't stay the whole time I don't know if > >> secure coding was addressed explicitly. > >> > >> The main developer attendees at SXSW would call themselves > >> designers and > >> I would guess many of them are doing web development in PHP, Ruby, > >> etc. > >> I think the majority of attendees would not classify themselves as > >> software programmers. > >> > >> To me it seems very much like at craft culture. That doesn't mean > >> that a > >> track on how to develop secure web services wouldn't be popular. In > >> fact > >> it might be worth proposing one for next year. > >> > >> If you want to talk further, please get in touch. > >> > >> -Bill Anderson > >> praxis101.com > >> > >> Benjamin Tomhave wrote: > >>> I had just a quick query for everyone out there, with an attached > >>> thought. > >>> > >>> How many security and/or secure coding professionals are prevalently > >>> involved with the SXSW conference this week? I know, I know... > >>> it's a big > >>> party for developers - particularly the Web 2.0 clique - but I'm > >>> just > >>> curious. > >>> > >>> Here's why: I'm increasingly frustrated by the disconnect between > >>> business/dev and security. I don't feel like we're being largely > >>> successful in getting the business and developers to include > >>> security as > >>> part of their standard operating procedures. Developers are still > >>> oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection > >>> holes. > >>> > >>> I then look at SXSW from afar and think: a) shouldn't I be there > >>> evangelizing security? and, b) shouldn't a major thread to all these > >>> conferences be about how security is integrating with dev > >>> processes and > >>> practices, making it better? > >>> > >>> Maybe I'm just too idealist. I'm curious what everyone else thinks. > >>> > >>> cheers, > >>> > >>> -ben > >>> > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > -- Johan Peeters http://johanpeeters.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
