I don't think that a guy saying "Developers don't know shit about
security" (blaming developers) should be taken seriously by security
specialists and developers alike.
That goes for most generalizations I suppose (see, I side stepped that
land-mine ;) ).

I'm not really sure what to comment here...(yes I know I don't have to
comment) so I'll utilize a philosophical device:

• To each his own

In more clear terms:

• Would this guy be happy if everything was perfectly secure and he
  didn't have a job?

And now for a more humoristic analogy:

• I feel about the lack of security like I feel about gay men, I'm glad
  they exist 'cause this means there's more work/women for me to do.

Now, if this is a more wide-spread belief, of which I'm unaware, I kinda
pity these fools. (heh...)

Cheers,
Tasos L.

On 13/02/2011 11:27 μμ, robert@webappsec.org wrote:

Makes sense for a few people to be bad apples or say something stupid
despite their field, nationality, etc.
I've walked out of many a lecture (and even moved abroad, and sadly,
kept walking out of lectures) because of such people.

Starting flame-wars on twitter and blogs and the like because a few
people are being ignorant or had a bad day or wanted to get (bad) press
doesn't seem to serve any point.

In Greece we have a saying for the people you described:
Those who are out of the dance know a lot of songs.

And it's true that we're low in the business process, when you're
building a house you don't start by putting in the locks.
A nuclear silo is totally different thing though...

(I'm big on metaphors, house == ordinary business, nuclear silo == a top
secret gov network...or an actual nuclear silo I guess.)

The main problem seems to be lack of perspective though, we're always
working in security so we tend to think that that's all that matters
in an attempt to boost our self worth I suppose.

It's not bad for one to take pride in is work but the more one needs an
ego boost the less well-rounded he'll turn out to be,
that theory is easily verified by just turning on the TV and observing
today's pseudo-celebrities.

On 14/02/2011 12:08 πμ, robert@webappsec.org wrote:

Having been a software developer for almost 10 years and then transitioning into security full-time (I rode the developer/security fence for 4-5 years), I've seen both sides of the fence first hand and if there is anyone entity to blame, it isn't the developers. The blame should be placed on the organization/business, rather than the developers themselves. If companies placed higher importance on security, mandated security as part of the SDLC and ensured their developers received proper training on how to write secure apps, then we wouldn't have this "us vs. them" mentality. Ultimately, the first priority for software development is functionality. If it doesn't work, you can't ship it. If there's issues with it later, you just patch it. That's been the development mentality of the past and will continue to be until the overall business mindset changes.

While we agree, I tend to see on average 2-3 people per conference saying exactly this, some of them
presenters. Of the people I've heard saying this, all worked for either a consulting company or a vendor
and were not actually in a role in a company addressing issues.

Regards,

• Robert
  http://www.webappsec.org/
  http://www.qasec.com/
  http://www.cgisecurity.com/

Oh, that OWASP thing still around?;-)

I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.

I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.

But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.

Rinse, repeat.

/mz

I second MZ.

In most situations, the question is like: How secure I can make my application be, with given resource, schedule and feature requirements?

/Fonix

From: websecurity-bounces@lists.webappsec.org 代表 Michal Zalewski
Sent: 2011-2-13 (星期日) 18:17
To: robert@webappsec.org
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Great article outlining a core issue with many in the security community

Oh, that OWASP thing still around?;-)

I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.

I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.

But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.

Rinse, repeat.

/mz

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I think I have the 20 year answer.

But ya'll are not going to like it.

I've been seeing a lot of these "wtf are we going to do" moments recently.
See dailydave's recent posts.

We lost. We have to live with APT. Is Anonymous our friend or enemy? Are we
the enemy?

No, to you (the security community), your arch-nemesis is sitting in the
cube or coffee shop next to you. He's a developer, just like you. His
chain-of-command and yours are responsible for the cleanup of this mess and
sustainable results. Get them talking. Co-ordinate by co-operating.

Andre
On Feb 13, 2011 7:43 PM, "Michal Zalewski" lcamtuf@coredump.cx wrote:

While the example specifies owasp

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I actually had a speculative blog post about it a while ago:

http://lcamtuf.blogspot.com/2010/09/rise-and-fall-of-perfect-security.html

I'm not sure we're "losing" any more than ten years ago - there is
more PR and community exposure, but perhaps that's it? But we might be
fighting the wrong battle to begin with.

/mz