It seems that Security aware coding is moving towards a situation akin to the bean counters that decide whether to recall a certain model of a car...
People didnt set out to write insecure code. But usually thay have a set of requirements to meet in order to get paid. Apart from a few industries where large sums of money or human life were directly involved , meet the requirements ASAP and get paid...
Even "closed source" development projects have Quality Assurace processes where some dude checks your code (whether they know what they are looking for is another issue)...
But particularly with bespoke code, people write according to a set of requirements. "I want it to do this, I want it to do that..". If it doesnt I can sue/refund/get free upgrades, if it gets hacked by some snotty nosed kid , tough, that kid wasn't in your requiremnets. Security is not easily specified as a requirement and is hard to insure against (financially).. so pretty soon you will see the emergence of "security support contracts".
This is the direction Micro$oft are going in..
(sustainable revenue is good for any business)
Yes, there is a wide range of programmers with varying abilities. but (apart from open source products), certain companies have realiazed they can/will charge big bucks for more security oriented support contracts, so what do they care.
For non-opensource companies lack of security/defensive programming has changed from being a liability to a profit generator.
Either they'll make a lot of money or open source will prevail.
Also expect a lot of specialist code review/certification/QA companies to pop up
"This product is independantly DeadBolt certified"
and hence costs $30 more + $30 a year for the latest security upgrades...."
(multiply those figures as appropiate!)
Slashdot Mirror
It seems that Security aware coding is moving towards a situation akin to the bean counters that decide whether to recall a certain model of a car ...
People didnt set out to write insecure code. But usually thay have a set of requirements to meet in order to get paid. Apart from a few industries where large sums of money or human life were directly involved , meet the requirements ASAP and get paid...
Even "closed source" development projects have Quality Assurace processes where some dude checks your code (whether they know what they are looking for is another issue)...
But particularly with bespoke code, people write according to a set of requirements. "I want it to do this, I want it to do that..". If it doesnt I can sue/refund/get free upgrades, if it gets hacked by some snotty nosed kid , tough, that kid wasn't in your requiremnets. Security is not easily specified as a requirement and is hard to insure against (financially) .. so pretty soon you will see the emergence of "security support contracts".
This is the direction Micro$oft are going in ..
(sustainable revenue is good for any business)
Yes, there is a wide range of programmers with varying abilities. but (apart from open source products), certain companies have realiazed they can/will charge big bucks for more security oriented support contracts, so what do they care.
For non-opensource companies lack of security/defensive programming has changed from being a liability to a profit generator.
Either they'll make a lot of money or open source will prevail.
Also expect a lot of specialist code review/certification/QA companies to pop up
"This product is independantly DeadBolt certified"
and hence costs $30 more + $30 a year for the latest security upgrades...."
(multiply those figures as appropiate!)