With all the questions about what are good books are there any views on
actually implementing the principles i.e. using them on real programmes to
drive security improvement. In particular the contrast between exisitng
programmes and new programmes?
Consider the environment before
Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not
discussions that pay attention to security, or any other software engineering
There was a discussion of scalability for web services that featured the
developers from digg,
First, thanks for that Bill, it exemplifies my point perfectly. A couple
one, targeting designers is just as important as reaching out to the
developers themselves... if the designers can ensure that security
requirements are incorporated from the outset, then we receive an added
On Tue, Mar 11, 2008 at 6:43 AM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
I had just a quick query for everyone out there, with an attached thought.
How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know... it's a big
Your point is a good one -- the software security community needs to
be vigilant in reaching out to developers and spreading the word.
FWIW, some dev conferences have done this. I spoke at SD West in
2006, and there was a significant security track there. Still, it'd
be great to
On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw [EMAIL PROTECTED] wrote:
You mean AJAX one? Last time I went there was zero interest and even less
clue about security among attendees. The only shining light was a long
conversation I had with bill joy about security critical
Reaching the development community, that's precisely what we are
trying to do at secappdev. Thanks for helping with that too, Ken.
I have also taken some security-related sessions to conferences such
as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU.
I would love to hear
my responses inline
On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
I think you misunderstood my points a little bit. SXSW was just a
current conference example. As Gary's pointed out, there are many
conferences. It's possible SXSW wasn't a good example, but it was
I agree this is a big issue, there is no cotton picking way that the
security people are solving these problems, it has to come from the
developers. I put together a track for QCon which included Brian Chess
on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on
ESAPI and Web
So two thoughts Ben, purely my 0.02 USD:
1. This is largely the wrong crowd. Designers of small web2.0 stuffs,
particularly the domain of widgets and WS interfaces for all the usual
suspect platforms (flickr, facebook etc.) as well as most startups:
They just don't care.
They will never care.
I rebooted the security track completely at SD West in 2003 (thanks to tami who
I cc'ed here). I'm on the advisory board.
We're slowly inching our way toward SDL/touchpoints/CLASP stuffs at SD West,
though when I tried to cover the touchpoints and enterprise security in 2006,
Mail list logo