WebApp Sec: Re: Secure Coding? Bah!

[Mark Curphey <mark () curphey com>]

Interesting but I have exactly the opposite opinion and experience. I know you often get great buy in from developers 
interested in new techniques and new challenges. If you approach them with a whip you have to expect a fight, but when 
approached with compassion people almost always want to do the right thing. 

To use your dog analogy, if you dont train them then you will never get better. This is like saying, my dogs always 
going to poop on the front step, gotta use the back door and accept it! 

Just my humble opinion ;-)

---- Adam Tuliper <amt () gecko-software com> wrote:
> credentials or not.. he's right on almost every aspect.
>
> Almost every company I've done work at had pretty insecure
> code that I had to fix. I know of almost no peer developers
> who are security conscious, as well as I know no developers
> personally that were taught security as part of their
> training.  It never ceases to amaze me how many developers
> know next to nothing about writing secure code. You tell
> them about a sql injection attack and they look at you like
> a dog who just heard a funny noise and turns its head
> sideways. Ironically the only people I know who seme to
> have any idea about security are the same ones who could
> hack your systems. Seems like this needs to be more two-way
> knowledge but most developers just don't care.
> On Thu, 22 Jan 2004 21:42:24 -0500 (EST)
>  Mark Curphey <mark () curphey com> wrote:
> > Does anyone know of any information about this authors
> > credentials to make
> > these claims ?
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html
>
> ---------------------------------------------------------------------
> Web mail provided by NuNet, Inc. The Premier National provider.
> http://www.nni.com/