[WEB SECURITY] Great article outlining a core issue with many inthe security community

Milton Smith msmith at successfactors.com
Thu Feb 17 14:58:31 EST 2011

I know there are a ton of replies but I'm going to get my 2 cents as

It's likely the priority list would be different if John polled customers
<grin>.  Most large software customers with significant resources do not
take the claims of vendors in areas of security and performance at face
value.  These customers conduct their own security and performance
assessments.  Depending upon the results they may defer purchases if the
product does not, or cannot, meet their expectations.

The real challenge for security is visibility.  A product that is highly
secure presents the same user interface as one that is not.  It takes
significant resources and expertise to establish the security posture for
a perspective product -- to make the invisible, visible.  Such resources
are out of reach for most small to medium businesses and individuals.  All
product features being equal, it's likely most will pay a little more
money for product that is also secure.  After all, security does cost

David Rice had an awesome presentation at OWASP AppSec 2010 in Irvine,
California.  He drives an analog between pollution and security and how
the world's tolerance for poor security is changing.  Security
professionals are the "tree huggers" of cyber space - I like that.  There
might be a YouTube version out there.

(ok, 3 cents)


On 2/13/11 3:27 PM, "robert at webappsec.org" <robert at webappsec.org> wrote:

>I saw this posted via twitter and thought it was worth mentioning here.
>While the example specifies owasp, I am not posting this link to slam
>them in particular. I think that the point applies to MANY folks in the
>security industry.
>Security Vs Developers
>- Robert Auger
>WASC Co Founder/Moderator of The Web Security Mailing List
>The Web Security Mailing List
>WebSecurity RSS Feed
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>WASC on Twitter
>websecurity at lists.webappsec.org
>The information contained in this message may be legally privileged and
>confidential.  It is intended to be read only by the individual or entity
>to whom it is addressed or by their designee. If the reader of this
>message is not the intended recipient, you are on notice that any
>distribution of this message, in any form, is strictly prohibited.  If
>you have received this message in error, please immediately notify the
>sender and/or SuccessFactors, Inc. by telephone at (650) 645-2000 and
>delete or destroy any copy of this message.

More information about the websecurity mailing list