[WEB SECURITY] Great article outlining a core issue with many

steve jensen sjensen1207 at hotmail.com
Sun Feb 13 18:56:56 EST 2011


Having been a software developer for almost 10 years and then transitioning into security full-time (I rode the developer/security fence for 4-5 years), I've seen both sides of the fence first hand and if there is anyone entity to blame, it isn't the developers. The blame should be placed on the organization/business, rather than the developers themselves. If companies placed higher importance on security, mandated security as part of the SDLC and ensured their developers received proper training on how to write secure apps, then we wouldn't have this "us vs. them" mentality. Ultimately, the first priority for software development is functionality. If it doesn't work, you can't ship it. If there's issues with it later, you just patch it. That's been the development mentality of the past and will continue to be until the overall business mindset changes.

> From: robert at webappsec.org
> To: tasos.laskos at gmail.com
> Date: Sun, 13 Feb 2011 19:08:09 -0500
> CC: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Great article outlining a core issue with many
> 
> > I don't think that a guy saying "Developers don't know shit about 
> > security" (blaming developers) should be taken seriously by security 
> > specialists and developers alike.
> > That goes for most generalizations I suppose (see, I side stepped that 
> > land-mine ;) ).
> 
> While we agree, I tend to see on average 2-3 people per conference saying exactly this, some of them
> presenters. Of the people I've heard saying this, all worked for either a consulting company or a vendor
> and were not actually in a role in a company addressing issues. 
> 
> Regards,
> - Robert 
> http://www.webappsec.org/
> http://www.qasec.com/
> http://www.cgisecurity.com/
> 
> 
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110213/73fc0600/attachment-0003.html>


More information about the websecurity mailing list