[WEB SECURITY] Great article outlining a core issue with many
Mike.Duncan at noaa.gov
Mon Feb 14 10:15:45 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Having been a developer for 13yrs prior to working now in AppSec, I
couldn't have said it better.
Businesses (and even .gov), especially now, are trying to grow every
year more so than the last -- so the demands from higher management
(which are unfounded) are going to be about this goal more so than doing
it right -- the overall Security goal. Doing it right means longer
development and assessment times and this just does not seem to fit many
business models right now.
This is the very typical argument of Security v. Business Goals
ultimately. Thanks for point that out -- because it definitely needs to
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
On 02/13/2011 06:56 PM, steve jensen wrote:
> Having been a software developer for almost 10 years and then
> transitioning into security full-time (I rode the developer/security
> fence for 4-5 years), I've seen both sides of the fence first hand and
> if there is anyone entity to blame, it isn't the developers. The blame
> should be placed on the organization/business, rather than the
> developers themselves. If companies placed higher importance on
> security, mandated security as part of the SDLC and ensured their
> developers received proper training on how to write secure apps, then we
> wouldn't have this "us vs. them" mentality. Ultimately, the first
> priority for software development is functionality. If it doesn't work,
> you can't ship it. If there's issues with it later, you just patch it.
> That's been the development mentality of the past and will continue to
> be until the overall business mindset changes.
>> From: robert at webappsec.org
>> To: tasos.laskos at gmail.com
>> Date: Sun, 13 Feb 2011 19:08:09 -0500
>> CC: websecurity at webappsec.org
>> Subject: Re: [WEB SECURITY] Great article outlining a core issue with many
>> > I don't think that a guy saying "Developers don't know shit about
>> > security" (blaming developers) should be taken seriously by security
>> > specialists and developers alike.
>> > That goes for most generalizations I suppose (see, I side stepped that
>> > land-mine ;) ).
>> While we agree, I tend to see on average 2-3 people per conference
> saying exactly this, some of them
>> presenters. Of the people I've heard saying this, all worked for
> either a consulting company or a vendor
>> and were not actually in a role in a company addressing issues.
>> - Robert
>> The Web Security Mailing List
>> WebSecurity RSS Feed
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> WASC on Twitter
>> websecurity at lists.webappsec.org
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the websecurity