[WEB SECURITY] Great article outlining a core issue with many in the security community

Steven M. Christey coley at rcf-smtp.mitre.org
Mon Feb 14 09:23:15 EST 2011

On Mon, 14 Feb 2011, Ory Segal wrote:

> What we do need to ask ourselves is - if nobody is prioritizing security 
> as a critical software requirement - what are we doing wrong here???

The news isn't all bleak.  But, I think there are at least 3 main issues 
at play right now:

1) As already mentioned, there is not enough engagement or education with 
the developer community. I agree that reaching out more to developers is a 
very important strategy.

2) We are not effectively translating security into actual impact on the 
business or mission.

3) Customers don't know how to ask for "more security."

To expand on point 3 a bit...

I believe that in the past, there wasn't enough consumer interest in 
security to make it affect a software vendor's bottom line.  At this stage 
though, there are enough large organizations who care about security to 
consider putting it into contract language.

Now the problem is shifting to the question: how do you know how secure a 
piece of software really is?  Consumers need help in knowing what to ask 
for and how to ask for it.  "New" efforts like CWSS and Jeff Williams' 
security facts label, combined with ongoing work such as DHS' assurance 
cases, OWASP's secure contract annex, BSIMM, OWASP Top Ten, CWE Top 25, 
etc. are all laying the groundwork that should ultimately make it easier 
for customers to ask for more security.

There will probably be a bit of churn and controversy as assurance metrics 
are developed, since we still don't have a quantitatively-defensible way 
to say how well various techniques work for which security concerns, 
especially while there are questionable rates of false positives and false 

My belief is that once software-assurance measurement starts to become 
"usable" to consumers, there will be an increasing push toward security as 
a requirement (or at least, a desired feature), which will then ultimately 
impact the day-to-day developer.  We're getting there, though.

- Steve

More information about the websecurity mailing list