I don't think that a guy saying "Developers don't know shit about
security" (blaming developers) should be taken seriously by security
specialists and developers alike.
That goes for most generalizations I suppose (see, I side stepped that
land-mine ;) ).
I'm not really sure what to comment here...(yes I know I don't have to
comment) so I'll utilize a philosophical device:
In more clear terms:
And now for a more humoristic analogy:
Now, if this is a more wide-spread belief, of which I'm unaware, I kinda
pity these fools. (heh...)
Cheers,
Tasos L.
On 13/02/2011 11:27 μμ, robert@webappsec.org wrote:
I saw this posted via twitter and thought it was worth mentioning here. While the example specifies owasp, I am not posting this link to slam
them in particular. I think that the point applies to MANY folks in the security industry.
Security Vs Developers
http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html
Regards,
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I saw this posted via twitter and thought it was worth mentioning here. While the example specifies owasp, I am not posting this link to slam
them in particular. I think that the point applies to MANY folks in the security industry.
Security Vs Developers
http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html
Regards,
Makes sense for a few people to be bad apples or say something stupid
despite their field, nationality, etc.
I've walked out of many a lecture (and even moved abroad, and sadly,
kept walking out of lectures) because of such people.
Starting flame-wars on twitter and blogs and the like because a few
people are being ignorant or had a bad day or wanted to get (bad) press
doesn't seem to serve any point.
In Greece we have a saying for the people you described:
Those who are out of the dance know a lot of songs.
And it's true that we're low in the business process, when you're
building a house you don't start by putting in the locks.
A nuclear silo is totally different thing though...
(I'm big on metaphors, house == ordinary business, nuclear silo == a top
secret gov network...or an actual nuclear silo I guess.)
The main problem seems to be lack of perspective though, we're always
working in security so we tend to think that that's all that matters
in an attempt to boost our self worth I suppose.
It's not bad for one to take pride in is work but the more one needs an
ego boost the less well-rounded he'll turn out to be,
that theory is easily verified by just turning on the TV and observing
today's pseudo-celebrities.
On 14/02/2011 12:08 πμ, robert@webappsec.org wrote:
I don't think that a guy saying "Developers don't know shit about
security" (blaming developers) should be taken seriously by security
specialists and developers alike.
That goes for most generalizations I suppose (see, I side stepped that
land-mine ;) ).
While we agree, I tend to see on average 2-3 people per conference saying exactly this, some of them
presenters. Of the people I've heard saying this, all worked for either a consulting company or a vendor
and were not actually in a role in a company addressing issues.
Regards,
Having been a software developer for almost 10 years and then transitioning into security full-time (I rode the developer/security fence for 4-5 years), I've seen both sides of the fence first hand and if there is anyone entity to blame, it isn't the developers. The blame should be placed on the organization/business, rather than the developers themselves. If companies placed higher importance on security, mandated security as part of the SDLC and ensured their developers received proper training on how to write secure apps, then we wouldn't have this "us vs. them" mentality. Ultimately, the first priority for software development is functionality. If it doesn't work, you can't ship it. If there's issues with it later, you just patch it. That's been the development mentality of the past and will continue to be until the overall business mindset changes.
From: robert@webappsec.org
To: tasos.laskos@gmail.com
Date: Sun, 13 Feb 2011 19:08:09 -0500
CC: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Great article outlining a core issue with many
I don't think that a guy saying "Developers don't know shit about
security" (blaming developers) should be taken seriously by security
specialists and developers alike.
That goes for most generalizations I suppose (see, I side stepped that
land-mine ;) ).
While we agree, I tend to see on average 2-3 people per conference saying exactly this, some of them
presenters. Of the people I've heard saying this, all worked for either a consulting company or a vendor
and were not actually in a role in a company addressing issues.
Regards,
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I don't think that a guy saying "Developers don't know shit about
security" (blaming developers) should be taken seriously by security
specialists and developers alike.
That goes for most generalizations I suppose (see, I side stepped that
land-mine ;) ).
While we agree, I tend to see on average 2-3 people per conference saying exactly this, some of them
presenters. Of the people I've heard saying this, all worked for either a consulting company or a vendor
and were not actually in a role in a company addressing issues.
Regards,
I saw this posted via twitter and thought it was worth mentioning here. While the example specifies owasp
Oh, that OWASP thing still around?;-)
I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.
I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.
But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.
Rinse, repeat.
/mz
I second MZ.
In most situations, the question is like: How secure I can make my application be, with given resource, schedule and feature requirements?
/Fonix
From: websecurity-bounces@lists.webappsec.org 代表 Michal Zalewski
Sent: 2011-2-13 (星期日) 18:17
To: robert@webappsec.org
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Great article outlining a core issue with many in the security community
I saw this posted via twitter and thought it was worth mentioning here. While the example specifies owasp
Oh, that OWASP thing still around?;-)
I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.
I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.
But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.
Rinse, repeat.
/mz
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I think I have the 20 year answer.
But ya'll are not going to like it.
I've been seeing a lot of these "wtf are we going to do" moments recently.
See dailydave's recent posts.
We lost. We have to live with APT. Is Anonymous our friend or enemy? Are we
the enemy?
No, to you (the security community), your arch-nemesis is sitting in the
cube or coffee shop next to you. He's a developer, just like you. His
chain-of-command and yours are responsible for the cleanup of this mess and
sustainable results. Get them talking. Co-ordinate by co-operating.
Andre
On Feb 13, 2011 7:43 PM, "Michal Zalewski" lcamtuf@coredump.cx wrote:
I saw this posted via twitter and thought it was worth mentioning here.
While the example specifies owasp
Oh, that OWASP thing still around?;-)
I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.
I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.
But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.
Rinse, repeat.
/mz
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
I've been seeing a lot of these "wtf are we going to do" moments recently.
See dailydave's recent posts.
I actually had a speculative blog post about it a while ago:
http://lcamtuf.blogspot.com/2010/09/rise-and-fall-of-perfect-security.html
I'm not sure we're "losing" any more than ten years ago - there is
more PR and community exposure, but perhaps that's it? But we might be
fighting the wrong battle to begin with.
/mz
Hi,
Developers shouldn't be blamed for not writing secure applications - it's
usually the fault of product owners and stakeholders that don't define
(and prioritize) security as a critical requirement for a software
project.
You don't expect developers to build a pretty and usable user interface,
you also don't expect them to define the flow and logic of your
application. That's why product owners and stakeholders have to define
product requirements, use cases, users, scenarios, etc.
Developers develop code, which should adhere to the requirements of the
project.
As long as security won't be a 1st class citizen in the world of software
requirements, I suspect we won't see software that is secure by design.
Having security requirements also means that product owners, developers
and QA teams can verify that the requirements are met. They can measure
their success, and understand how to get better. Anything less than this
is simply a waste of time, i.e. bolting security on the project in
hindsight.
What we do need to ask ourselves is - if nobody is prioritizing security
as a critical software requirement - what are we doing wrong here???
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory@il.ibm.com
From: robert@webappsec.org
To: websecurity@lists.webappsec.org
Date: 14/02/2011 12:36 AM
Subject: [WEB SECURITY] Great article outlining a core issue with
many in the security community
Sent by: websecurity-bounces@lists.webappsec.org
I saw this posted via twitter and thought it was worth mentioning here.
While the example specifies owasp, I am not posting this link to slam
them in particular. I think that the point applies to MANY folks in the
security industry.
Security Vs Developers
http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html
Regards,
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org