WebApp Sec: RE: Secure Coding? Bah!

["Taco Fleur" <tacofleur () nella net au>]

I'm a bit lost here, this list is called Security Focus (i.e. Focus on
security) right? I am in the right place right?

Taco Fleur
Blog http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn 


> -----Original Message-----
> From: Mark Curphey [mailto:mark () curphey com] 
> Sent: Friday, 23 January 2004 2:50 PM
> To: David Wall @ Yozons, Inc.; webappsec () securityfocus com
> Subject: Re: Secure Coding? Bah!
>
>
> Great reply and I agree with all you say. 
>
> Rather than his credentials, I think I really meant "the credentials".
>
> Whats the statement based on? Where are the facts to support 
> such a strong view? How did he arrive at that conclusion?
>
> There is no doubt business leaders care about money. A XSS 
> issue for a big high street financial services company prob 
> costs around $250,000 (internal costs) to deal with (start to 
> close). Incident response, code fix, test, pre-prod, prod, 
> legal advice, enhanced monitoring, press monitoring, 
> corporate communications preparation, regulatory authorities 
> notified, de-briefs. 
>
> You know what, business people know that !
>
> Another thing a business leader would tell you is there is no 
> upside there !
>
> <To quote:>
> Case in point: Microsoft spent $200 million retraining its 
> programmers in secure coding principles. That may help reduce 
> some brain-dead programming oversights down the line, but 
> does anybody really think this will make Windows magically 
> secure? </To quote:>
>
> Firstly perhaps the author can send me a brain-dead 
> programming oversight in the language of his choice (English 
> does not count btw) so I can understand an example he is 
> referring to. I dont think the Windows Security Initiatve is 
> about brain dead programming oversights !
>
> Magically secure: Not sure where that expectation ever came 
> in but it certianly not mine. You have to give MS credit for 
> taking the bull by the horns and dealing with the problem. 
> Nothings going to change overnight but if you shoot for the 
> stars you often end up with your head in the nice bright blue 
> sky. There is a serious program in place, lots of great 
> documentation coming out of the MS team about building 
> security applications (especially when compared to Sun these 
> days). It gives me more confidence. Enough, not yet but its 
> getting better ! I bet beers well start to see issues that 
> Windows will be immune to soon and other OS's will have to 
> deal with. Its all too easy to bash MS. 
>
> I am just glad hes not in charge of security at any sites I use !
>
> Personally I have stopped subscribing to all of the trade 
> press now. Its all so out of sync with what I see in the 
> field and the views are IMHO so sensationalized or have such 
> a marketing bias, it was just more waste that has no value.
>
>
>
> ---- "David Wall @ Yozons, Inc." <dwall () yozons com> wrote:
> > > Does anyone know of any information about this authors 
> credentials 
> > > to make these claims ?
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,0
> > 0.html
> >
> > Not to be flippant, but what credentials would be needed?  
> He claims 
> > to have a CISSP certification, though.  Overall, the claim seems 
> > rather silly and pointless, as if driving safer "is not going to 
> > happen" so there's no need to teach it.
> >
> > Personally, I work in industry, but while I'm not an "industry 
> > leader," I know that there are many businesses that take security 
> > seriously when it comes to creating software.  I'll grant that we 
> > could have better tools to assess our progress, but one way we make 
> > more money is by providing a secure solution to our 
> customers.  That's 
> > our business, though.  I've found similar concerns when 
> dealing with 
> > IT in telecom, health, banking and brokerage firms.  One 
> solution they 
> > use is outsourcing or purchasing software that already has 
> a focus on 
> > security.
> >
> > As for academia, I don't think "matriculating Ph.D.s" is required 
> > since DePaul University and California State University both offer 
> > security-related courses.
> >
> > In the end, security is a trade off game.  Nothing has to be 100% 
> > secure, just secure enough to do business.  Maybe Mr. Briney is a 
> > purist, so he find no benefit in getting better at security without 
> > having total security. Starbucks doesn't put metal 
> detectors and armed 
> > guards in its stores, not because they don't care about 
> security, but 
> > because the costs are higher than the benefits, including 
> alienating 
> > their customers.  I think the same is true for software.  Good 
> > software is designed with security in mind from the get go, 
> and many 
> > companies realize that good security makes for a better product.  
> > After all, nobody wants their product to be victimized in 
> the public's 
> > eye!
> >
> > David
> > ---------------------------------------------
> > David A. E. Wall
> > Chief Software Architect
> > Yozons, Inc.
> > Kirkland, Washington USA
> > Tel 425.822.4465    david.wall () yozons com
> > Fax 425.827.9415    www.yozons.com
> > Cell 425.985.6519
> >
> > Yozons Signed & Secured - A secure document delivery, electronic 
> > signature, spam-free, virus-free business private network
> >     - Used and proven by many in the Fortune 500
> >     - Low cost, hosted solutions for smaller businesses