re-writing college books - erm.. ahm...

[peter.werner at gmail.com (pete werner)]

On 11/7/06, Wall, Kevin <Kevin.Wall at qwest.com> wrote:
> Developers have to cut corners somewhere, and since security issues
> are not paramount, that's often what gets overlooked.

this is the biggest issue i think. it gets overlooked because
management dont value it. partly because its expensive to do, and
theres no real qualitative or quantitative measures of success. you
cant go to your management and say "i spent 20% of my time working on
security issues, it cost us $x but it will save our customers $y, and
security was improved by 15%" or if you can, you're bullshitting, but
will probably get a nice bonus :)

i think a college level textbook would have limited benefit. there is
plenty of information out there at the moment for those who are
interested, both on the net and in book form. i suppose its nice to
have a single point of reference though. however, most graduates
aren't really good practical programmers. they know stuff like what a
for loop is and how recursion works, which is great, but they learn
the ins and outs of developing when they get their first real job.

so they get their first job, and basically learn from the people
they're working with. the people they're working with and learning
from are busy, and working under time and budget constraints. they're
just not going to focus on security, even if they had the knowledge to
do it effectively, because other things are more important to the
companies management. most managers (and developers too i guess) do
care about security, but only in the way people care about global
warming. they know global warming is bad, but oh gee what are we going
to do, oh today i remembered to turn off my desk lamp when i left the
office. great. same with security, you dont have to be a genius to
work out security holes are bad, but oh gee what are you actually
going to do about it?

if organisations dont really care about software security, a security
concious developer faces an uphill battle. if two devs are working on
some code, one does it slower but more securely, the other does it
quicker but less securely, who's going to look better, in a typical
organisation? your fresh grad is going to learn quick enough what
companies want from them. as time goes by, they become the ones
breaking in the new developers, so the cycle continues. a book isnt
going to help this, it probably wont hurt, but i dont think the lack
of available literature is a big problem.

a good organisation will focus on what its customers want. untill the
customers start kicking up a storm about vulnerabilities, there's
little impetus for management to devote resources to security. i think
this is one of the things microsoft has done well, over the last few
years they have started taking security seriously, and i can only
assume its because their customers starting complaining. they still
have a lot of security issues (an insuperable amount imo), but it
shows that for companies to start taking software security seriously,
it has to be something the customer wants.