WebApp Sec: Re: Secure Coding? Bah!

[Juridian <Juridian () localhost localdomain>]

I've had pretty much the same experience with few to no other developers 
having any security knowledge.  Some didn't have the time to learn it, others 
thought it was a waste.

I recently read the book 'Building Secure Software' 
(http://www.buildingsecuresoftware.com) and it has opened my eyes to the 
position of Security Engineer in Development.  It might be worth it for some 
of you to take a peek.  It promotes software developers who focus on security 
and help by auditing design, auditing source, consulting with the other 
developers, helping set coding standards, etc.  I currently fill this role 
(without the official title of course) at my current workplace since I'm the 
only developer with actual security training.  Heck, I've hit as many GIAC 
courses as the corporate security officer.

I think the author of the article was on a rant.  Things are 
changing....slowly....but changing.

- Ernie

> Almost every company I've done work at had pretty insecure
> code that I had to fix. I know of almost no peer developers
> who are security conscious, as well as I know no developers
> personally that were taught security as part of their
> training. 
> Seems like this needs to be more two-way
> knowledge but most developers just don't care.