While no customer is likely to say they don't care about software working now that we are past Y2K, they don't think about it at all and are unlikely to allow any schedule slippage to allow for making sure that is true.
Customers only really care about the things they will pay for. Many companies claim they "can't stand" poor software or services, but they still pay for them, so they will keep getting them.
Until we convince them that good security really is important and that they must demand and pay for it, we won't make the progress we want to make.
How many companies wouldn't even be doing the PCI level of effort if they weren't forced to do so? How many strictly limit it to their "PCI environment" rather than looking at the risk to the whole enterprise? Even major breaches don't help since the "it can't happen here" attitude is common all over, in spite of the fact it is a risky stance.
While part of this is just a cynical rant, I think the base point is that we have a whole lot more selling to do on the need for software security before we can properly place it throughout the curriculum. That sales job is hard. The fact a few people have "gotten it" doesn't mean most have or that we are completely ready for the next step.
I realize many here may not be saying that, but that is the message I get stepping back. And I am a dreamer/visionary. I like to think well ahead of things, but focusing too much there makes us likely to continue to be a niche area, leaving lots of vulnerabilities.
Wouldn't a better focus be on the customer demand end? Stirring that up will do more to advance secure development than any number of maturity models. Unfortunately, it is a much more difficult task. I would bet it is also not as conceptually interesting to many.
-- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Martin Gilje Jaatun <secse-ch...@sislab.no>:
His stance on this is that "if security were important to the customer, the customer would provide and prioritize security requirements". To me, this is a bit like saying "If the customer doesn't explicitly state that the software should be Y2k-proof, he/she is not really bothered about it".
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
