mailing list archives
Re: A Question of Quality
From: Deaths_Fury <Deaths_Fury () hotmail com>
Date: Tue, 04 Nov 2008 09:50:28 -0700
Daniël W. Crompton wrote:
Though both Daniel and Robert have great points, I would have to agree
with Daniel and Yousef. The problem is not so much in outsourcing to
cheap code houses, it is more about the security needs being "tacked on
later" (to quote Daniel) and managers pushing time and budget over
quality security focus. I work a lot with the open-source community and
though we do not generally have the problem with the managers, we do
have an issue with security being left until last and with developers
who are undereducated in security who bring updates that are just
accidents waiting to happen.
2008/11/2 Robert Hajime Lanning <robert.lanning () gmail com>:
On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> wrote:
Why isn't Quality Assumed?
Why isn't Security Assumed?
Why are these concepts thought of as add ons to Applications and Services?
Why do they need to be specified, when they should be taken for granted?
I believe one of the issues is, pride of ownership in the end product.
A lot of the coding is now outsourced to cheap code houses. These people
do not have ownership or attribution. They have no reason to take any extra
steps, that are not specified in the contract. If it is not in the
are not being paid for it.
I have to disagree with you there, even if you examine code that comes
from internally where they have pride of ownership there are many
security considerations which are only later applied to the product.
Many times it's the case that security aspects are tacked on later,
rather than being considered from the outset.
blaze your trail
I think, however, that the largest problem is simply with developers who
do not have the drive to make a secured application. I remember when I
was starting out, I couldn't care less about security. In the years
since then I have gained a respect for myself and my work and due to
that, I have become more aware of how the security of the application
reflects on my work personally. I have found that a lot of developers do
not gain that sense of respect and worth for their work, which makes it
harder for those of us who are concerned about it. Rather than push
managements as a group for higher security standards as Yousef
suggested, we first need to convince our fellow developers that security
is something we should hold ourselves to. The management will not change
because one of a team pushes, however if that one voice turns into 5 or
10 or more (depending on team sizes of course), the management has a
larger chance of listening.
I personally do not have much experience with negotiating contracts with
clients, however one of the suggestions for management that I can think
of would be to inform the client of the necessity of security in an
application and then negotiate a larger dollar amount. Inform the client
fully about why the number is larger than what others could offer, and
then be sure to explain the risks in not including the security that you
offer for a larger sum. Perhaps that is just a naive idea from someone
who is inexperienced with contract negotiation or the entire contract
process, but I figured I would get it out there. Even if that itself
would not work, there may be some other idea stemming from that. Food
for thought, if you will.