While I completely agree with this statement, it is a much tougher sell to management that is seeking to keep the company making money (or perhaps even alive). I believe that having (and using) an imperfect tool is better than nothing, so I would at least push for that. Getting things that play well together is even better.
I think a complete overhaul and digging security flaws out is even better, but is a much harder sell in many places in my experience. Perhaps I am too jaded, but you have to work with what you can get approved and paid for.
The cost of the "indispensable" experience is much higher than most companies will stomach. :)
Some companies do value it, but most haven't "seen the light" yet in my experience. While that is limited compared to many on this list, I think my perspective is something that is easy to lose track of when you are fixing security issues every day. Everyone doesn't share the vision, unfortunately.
And some of those that see the problem don't have the budget and executive support to fix the problem....
-- Brad Andrews RBA Communications CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Andre Gironda <and...@gmail.com>:
On 7/28/09, Brad Andrews <andr...@rbacomm.com> wrote: Experts can't be replaced by tools.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
