[WEB SECURITY] Great article outlining a core issue with many in the security community

Ory Segal SEGALORY at il.ibm.com
Mon Feb 14 02:21:56 EST 2011


Developers shouldn't be blamed for not writing secure applications - it's 
usually the fault of product owners and stakeholders that don't define 
(and prioritize) security as a critical requirement for a software 

You don't expect developers to build a pretty and usable user interface, 
you also don't expect them to define the flow and logic of your 
application. That's why product owners and stakeholders have to define 
product requirements, use cases, users, scenarios, etc. 

Developers develop code, which should adhere to the requirements of the 

As long as security won't be a 1st class citizen in the world of software 
requirements, I suspect we won't see software that is secure by design.

Having security requirements also means that product owners, developers 
and QA teams can verify that the requirements are met. They can measure 
their success, and understand how to get better. Anything less than this 
is simply a waste of time, i.e. bolting security on the project in 

What we do need to ask ourselves is - if nobody is prioritizing security 
as a critical software requirement - what are we doing wrong here???

Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory at il.ibm.com 

From:   robert at webappsec.org
To:     websecurity at lists.webappsec.org
Date:   14/02/2011 12:36 AM
Subject:        [WEB SECURITY] Great article outlining a core issue with 
many in the security community
Sent by:        websecurity-bounces at lists.webappsec.org

I saw this posted via twitter and thought it was worth mentioning here. 
While the example specifies owasp, I am not posting this link to slam
them in particular. I think that the point applies to MANY folks in the 
security industry.

Security Vs Developers

- Robert Auger
WASC Co Founder/Moderator of The Web Security Mailing List

The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110214/cf804120/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110214/cf804120/attachment.gif>

More information about the websecurity mailing list