[SC-L] quick question - SXSW

Kenneth Van Wyk ken at krvw.com
Wed Mar 12 17:34:24 EST 2008 

Ben,

Your point is a good one -- the software security community needs to  
be vigilant in reaching out to developers and spreading "the word".

FWIW, some dev conferences have done this.  I spoke at SD West in  
2006, and there was a significant security track there.  Still, it'd  
be great to see that sort of thing at more dev-specific conferences.

Cheers,

Ken van Wyk
SC-L Moderator

On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:

> First, thanks for that Bill, it exemplifies my point perfectly. A  
> couple
> thoughts...
>
> one, targeting designers is just as important as reaching out to the
> developers themselves... if the designers can ensure that security
> requirements are incorporated from the outset, then we receive an  
> added
> benefit...
>
> two, a re-phrasing around my original thought... somehow we need to  
> get
> security thinking and considerations encoded into the DNA of  
> everyone in
> the business, whether they be designers, architects, coders, analysts,
> PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
> could (should!) have had implicit and explicit security attributes
> included... yet we're still at the point where secure coding has to be
> explicitly requested/demanded (often as an afterthought or bolt-on)...
>
> How do we as infosec professionals get people to the next phase of
> including security thoughts in everything they do... with the end-goal
> being that it is then integrated fully into practices and processes  
> as a
> bona fide genetic mutation that is passed along to future generations?
>
> To me, this seems to be where infosec is stuck as an industry. There
> seems to be a need for a catalyst to spur the mutation so that it can
> have a life of its own. :)
>
> fwiw.
>
> -ben
>
> -- 
> Benjamin Tomhave, MS, CISSP
> falcon at secureconsulting.net
> LI: http://www.linkedin.com/in/btomhave
> Blog: http://www.secureconsulting.net/
> Photos: http://photos.secureconsulting.net/
> Web: http://falcon.secureconsulting.net/
>
> [ Random Quote: ]
> Augustine's Second Law of Socioscience: "For every scientific (or
> engineering) action, there is an equal and opposite social reaction."
> http://globalnerdy.com/2007/07/18/laws-of-software-development/
>
> William L. Anderson wrote:
>> Dear Ben, having just been at SXSW Interactive (I live in Austin,  
>> TX) I
>> did not see many discussions that pay attention to security, or any
>> other software engineering oriented concerns, explicitly.
>>
>> There was a discussion of scalability for web services that  
>> featured the
>> developers from digg, Flickr, WordPress, and Media Temple. I got  
>> there
>> about half-way through but the discussion with the audience was about
>> tools and methods to handle high traffic loads. There was a question
>> about build and deployment strategies and I asked about unit testing
>> (mixed answers - some love it, some think it's strong-arm micro-mgt  
>> (go
>> figure)).
>>
>> There was a session on OpenID and OAuth (open authorization)  
>> standards
>> and implementation. These discussions kind of assume the use of  
>> secure
>> transports but since I couldn't stay the whole time I don't know if
>> secure coding was addressed explicitly.
>>
>> The main developer attendees at SXSW would call themselves  
>> designers and
>> I would guess many of them are doing web development in PHP, Ruby,  
>> etc.
>> I think the majority of attendees would not classify themselves as
>> software programmers.
>>
>> To me it seems very much like at craft culture. That doesn't mean  
>> that a
>> track on how to develop secure web services wouldn't be popular. In  
>> fact
>> it might be worth proposing one for next year.
>>
>> If you want to talk further, please get in touch.
>>
>> -Bill Anderson
>> praxis101.com
>>
>> Benjamin Tomhave wrote:
>>> I had just a quick query for everyone out there, with an attached
>>> thought.
>>>
>>> How many security and/or secure coding professionals are prevalently
>>> involved with the SXSW conference this week? I know, I know...  
>>> it's a big
>>> party for developers - particularly the Web 2.0 clique - but I'm  
>>> just
>>> curious.
>>>
>>> Here's why: I'm increasingly frustrated by the disconnect between
>>> business/dev and security. I don't feel like we're being largely
>>> successful in getting the business and developers to include  
>>> security as
>>> part of their standard operating procedures. Developers are still
>>> oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
>>> holes.
>>>
>>> I then look at SXSW from afar and think: a) shouldn't I be there
>>> evangelizing security? and, b) shouldn't a major thread to all these
>>> conferences be about how security is integrating with dev  
>>> processes and
>>> practices, making it better?
>>>
>>> Maybe I'm just too idealist. I'm curious what everyone else thinks.
>>>
>>> cheers,
>>>
>>> -ben
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20080312/82d3b08e/attachment.bin

More information about the SC-L mailing list