Home page logo

basics logo Security Basics mailing list archives

Re: A Question of Quality
From: Deaths_Fury <Deaths_Fury () hotmail com>
Date: Tue, 04 Nov 2008 09:50:28 -0700

Daniël W. Crompton wrote:
2008/11/2 Robert Hajime Lanning <robert.lanning () gmail com>:
On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> wrote:
Why isn't Quality Assumed?
Why isn't Security Assumed?
Why are these concepts thought of as add ons to Applications and Services?

Why do they need to be specified, when they should be taken for granted?

I believe one of the issues is, pride of ownership in the end product.

A lot of the coding is now outsourced to cheap code houses.  These people
do not have ownership or attribution.  They have no reason to take any extra
steps, that are not specified in the contract.  If it is not in the
contract, they
are not being paid for it.

I have to disagree with you there, even if you examine code that comes
from internally where they have pride of ownership there are many
security considerations which are only later applied to the product.
Many times it's the case that security aspects are tacked on later,
rather than being considered from the outset.


blaze your trail


Though both Daniel and Robert have great points, I would have to agree with Daniel and Yousef. The problem is not so much in outsourcing to cheap code houses, it is more about the security needs being "tacked on later" (to quote Daniel) and managers pushing time and budget over quality security focus. I work a lot with the open-source community and though we do not generally have the problem with the managers, we do have an issue with security being left until last and with developers who are undereducated in security who bring updates that are just accidents waiting to happen.

I think, however, that the largest problem is simply with developers who do not have the drive to make a secured application. I remember when I was starting out, I couldn't care less about security. In the years since then I have gained a respect for myself and my work and due to that, I have become more aware of how the security of the application reflects on my work personally. I have found that a lot of developers do not gain that sense of respect and worth for their work, which makes it harder for those of us who are concerned about it. Rather than push managements as a group for higher security standards as Yousef suggested, we first need to convince our fellow developers that security is something we should hold ourselves to. The management will not change because one of a team pushes, however if that one voice turns into 5 or 10 or more (depending on team sizes of course), the management has a larger chance of listening.

I personally do not have much experience with negotiating contracts with clients, however one of the suggestions for management that I can think of would be to inform the client of the necessity of security in an application and then negotiate a larger dollar amount. Inform the client fully about why the number is larger than what others could offer, and then be sure to explain the risks in not including the security that you offer for a larger sum. Perhaps that is just a naive idea from someone who is inexperienced with contract negotiation or the entire contract process, but I figured I would get it out there. Even if that itself would not work, there may be some other idea stemming from that. Food for thought, if you will.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]