Figured I would ask the list for their perspective on why the adoption of secure coding practices is so slow.
Generally speaking, not a day goes by where multiple software vendors will email, snail mail, phone, etc their value proposition to some problem in the world of security. They usually do a good job in terms of identifying common gaps across enterprises yet have no clue as to whether this gap is important to the enterprise to close. If I were to ask my colleagues to enumerate gaps, I suspect it would be too difficult to compose a list of several hundred distinct gaps in the security space. The issue at hand is not whether the gap exists, whether there are solutions to close it but one of which gaps are most important to close. Likewise, industry analysts do a great job of comparing products within a domain. They will compare Fortify to Ounce Labs and so on. The thing that is missing is how "should" secure coding compare to say identity management or entitlements management or user-centric identity or protecting against the insider threat and so on. In some enterprises, the constraint for closing gaps can be funding while pretty much in all enterprises the constraint in terms of closing gaps is having the right resources. While everything is important, how should one determine what is more important? If we believe that secure coding is more important than how do we collectively not only talk about it amongst ourselves but also get industry analysts to also start saying it is more important vs resorting to product comparisons. Likewise, magazines should also take a similar approach. After all, many folks on this list understand that the vast majority of decision makers nowadays don't necessarily come from a technical background and at some level practice Management by Magazine and therefore we should help them to be successful... ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________