On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:

Hi Gunnar,

I apologize to everybody if I have come across as being harsh.

>From my 8 years of experience of living in Asia and being actively
involved as a developer and working with developers (at Microsoft as
its first .NET Regional Developer Evangelist in 2001 to recently at
Symantec as the first Secure Application Services consultant for
APAC), IMO there's a big gap between the maturity of software security
here vs. Europe vs. West Coast USA vs. East Coast USA.

The culture is different and even in the situation that a software
developer cared and wanted to implement software security, in many
countries they could get in a lot of trouble for upstaging their boss
and making him or her "lose face".

The responsibility of secure software is not at the developer level in
most cases....

This has really important implications, and is worthy of thought and discussion.

On the one hand, *right now*, it justifies the complaints about outsourcing: That you really can't trust software produced in Asia. On the other hand, the (relative) command-and-control nature of development in Asia means that, should management there decide that security is an important issue - and since given the nature of their business, they are very sensitive to customer demand, that would mean that their customers tell them unambiguously that it's what they'll be judged on *and actually act that way* - Asian outsourcers are likely to be much more effective at getting their organizations to focus on secure practices than we are here in the more free-wheeling West.

                                                        -- Jerry

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to