[SC-L] quick question - SXSW

Benjamin Tomhave list-spam at secureconsulting.net
Wed Mar 12 20:08:37 EST 2008 

I think you misunderstood my points a little bit. SXSW was just a 
current conference example. As Gary's pointed out, there are many 
conferences. It's possible SXSW wasn't a good example, but it was meant 
more symbolically. More comments inline...

Arian J. Evans wrote:
> 1. This is largely the wrong crowd. Designers of small web2.0 stuffs,
> particularly the domain of widgets and WS interfaces for all the usual
> suspect platforms (flickr, facebook etc.) as well as most startups:
> 
> They just don't care.
> 
> They will never care.
> 
I fundamentally disagree. Everybody is the right crowd, assuming the 
message is tailored appropriately. It's precisely the perspective you 
espouse that concerns me greatly. I don't believe the security industry 
_as_a_whole_ has maintained momentum, and I attribute that directly to 
the SEP* effect. This goes directly to my larger point about ingraining 
security considerations/thoughtfulness/practices into all aspects of the 
business (not just coding, btw).

*See http://en.wikipedia.org/wiki/Somebody_Else%27s_Problem_field

> 2. This "security DNA" notion -- I don't really buy it. I don't think
> there's a big tipping point coming for "all hands in for writing secure
> software" in our near future. Maybe if people start dying because
> of insecure software, this will change, but until then ...
> 
If everyone starts coding more responsibly, then at some point the genre 
of "secure coding" goes away, because it's inherent in everything that's 
written. Today, I'd settle for all externally-facing apps being coded to 
address the OWASP Top 10, and to get developers to think for a change 
before doing silly things like implementing client-side filtering in the 
client code.

> I do see increasing awareness is mid to large size organizations
> (fortune 2000 +). Developers are more aware and more interested
> in security, but mostly in organizations that penalize (fire or
> domote) individuals involved in public security blunders.
> 
Hard-earned gains. How do we institutionalize these practices and get 
beyond playing the role of Law Enforcement for the security department?

> Overall security is not a feature or a function that you can monetarize.
> It's not even cool or sexy. It's an emergent behavior that is only
> observed when it is making your software harder to use.
> 
On the first sentence, I say "yes, exactly!" On the second sentence, I 
couldn't disagree more. Security should not be "making your software 
harder to use." Address XSS, CSRF, SQL injection, and input/output 
filtering/encoding should not diminish the end-user experience. Things 
like 2-factor authentication might have that result, but we're not 
really talking about that right now.

> Not until insurance or substantial penalties are the norm (if they are
> ever the norm) will we have meaningful quantitative data to drive a
> justification for security as a requirement in startup or most open
> source software projects. That's my opinion, anyway.
> 
I would really like for you to be wrong, but I can't really disagree 
with your base conclusion here. Hence my frustration. It provides a good 
case for shelving all security departments until the business starts 
taking major hits and they come begging for help. Honestly, I don't 
understand it. Businesses don't disagree that they need properly secured 
code/sites/etc. Yet, by the same token, they don't do what's necessary 
up front to secure their code/sites/etc. It's a truly bizarre disconnect 
that boggles my mind.

Thanks for the response! :)

-ben

-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
"A man without a goal is like a ship without a rudder."
Thomas Carlyle

More information about the SC-L mailing list