Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-07 Thread Michael Silk
On Apr 7, 2005 12:43 PM, Blue Boar [EMAIL PROTECTED] wrote: Michael Silk wrote: See, you are considering 'security' as something extra again. This is not right. It is extra. It's extra time and effort. And extra testing. And extra backtracking and schedule slipping when you realize you

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-07 Thread Blue Boar
Michael Silk wrote: See, you are considering 'security' as something extra again. This is not right. It is extra. It's extra time and effort. And extra testing. And extra backtracking and schedule slipping when you realize you blew something. All before it hits beta. Any solution that ends

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-07 Thread Margus Freudenthal
Michael Silk wrote: Consider the bridge example brought up earlier. If your bridge builder finished the job but said: ohh, the bridge isn't secure though. If someone tries to push it at a certain angle, it will fall. All bridges have certain limits. There is difference between a footbridge and

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-07 Thread Michael Silk
Dave, What you're proposing is that the ironworker should reengineer the bridge in-situ (as if he even has the authority!), causing weeks of delay, cost overruns, and possibly lead to his employer never getting a bridge contract again. That's not at all what I'm suggesting... guess my point

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Michael Silk
Quoting from the article: ''You can't really blame the developers,'' I couldn't disagree more with that ... It's completely the developers fault (and managers). 'Security' isn't something that should be thought of as an 'extra' or an 'added bonus' in an application. Typically it's just about

RE: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Goertzel Karen
PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk Sent: Wednesday, April 06, 2005 9:40 AM To: Kenneth R. van Wyk Cc: Secure Coding Mailing List Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Dave Paris
And I couldn't disagree more with your perspective, except for your inclusion of managers in parenthesis. Developers take direction and instruction from management, they are not autonomous entities. If management doesn't make security a priority, then only so much secure/defensive code can be

RE: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Michael S Hines
Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk Sent: Wednesday, April 06, 2005 8:40 AM To: Kenneth R. van Wyk Cc: Secure Coding Mailing List Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from the article: ''You can't really blame

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Jeff Williams
Wyk [EMAIL PROTECTED] Cc: Secure Coding Mailing List SC-L@securecoding.org Sent: Wednesday, April 06, 2005 9:40 AM Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from the article: ''You can't really blame the developers,'' I couldn't disagree more with that ... It's

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Michael Silk
- From: Michael Silk [EMAIL PROTECTED] To: Kenneth R. van Wyk [EMAIL PROTECTED] Cc: Secure Coding Mailing List SC-L@securecoding.org Sent: Wednesday, April 06, 2005 9:40 AM Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from the article: ''You can't really

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Michael Silk
] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk Sent: Wednesday, April 06, 2005 9:40 AM To: Kenneth R. van Wyk Cc: Secure Coding Mailing List Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Michael Silk
Inline On Apr 7, 2005 1:06 AM, Dave Paris [EMAIL PROTECTED] wrote: And I couldn't disagree more with your perspective, except for your inclusion of managers in parenthesis. Developers take direction and instruction from management, they are not autonomous entities. If management doesn't