Wonder why software security sucks? Looks no further than what software developers and architects do and talk about, hint - it ain't software security. To wit, JAOO is one of the leading software conferences. It presents a "broad range of topics in professional software development." Many of the leading names in software development speak there. Surely with all our apps getting ripped to shreds by malicious hackers, getting improved security into the apps is a hot topic, right? Guess again.
The tracks go over in exhaustive detail app frameworks, complexity, scalability, quality, variability -- come to think of it, the tracks address every word in the English language that ends in "-ity" except security.
Sadly this incessant navel gazing is nothing new. Here is TIm Bray's comparison of web app frameworks - PHP, Rails, and Java, the criteria for the comparison for web apps, must surely include security, right? Nope its - Scaling, Dev Speed, Dev Tools, Maintainability or summarize as - what is easiest for the developer. Hey they all have support for SSL, right? (Note- I am picking on Tim, but I could have pulled almost any software guru's slides)
Anyhow, maybe we can take up a collection to send Brian Chess, Ryan Berg, James McGovern, Ken van Wyk, Gary McGraw, and others to JAOO, maybe they'd even given them their own track - Why Your Software is Broken and What you can do to Fix it. If not, maybe OWASP can sponsor a tent out in the parking lot.
Just don't wonder why it keeps hurting when you keep doing the same thing.
Wow, Gunnar, the second bar chart rocks. The sad part is that it's true of most of the software developers I've met... "We have security built in, we used OpenSSL".
Posted by: rybolov | July 12, 2007 at 06:43 PM
This is an excellent and important point.
Most organizations care deeply about two things:
1. Security of people's data
2. The robustness and quality of the database.
Instead of focusing on what is important, the current fashion is to pay most attention to other issues which are an order of magnitude less important.
Posted by: john O'Hanley | July 14, 2007 at 12:46 PM
Granted. We've not been on top of the topic of security so far. However ... For our next QCon (http://qcon.infoq.com/qcon-sanfrancisco/tracks/) we are planning an application security track, and I intend to include this in the future JAOO's too. I'd love to have input from you on this -- please contact me at krab /a/ jaoo point dk.
Posted by: Kresten Krab Thorup (JAOO) | July 23, 2007 at 12:56 PM
Kresten - I have a ton of respect for JAOO, you put together many of the most ineresting tracks and talks of any conference. I am picking on you (and Tim Bray) because I am hopeful that my tiny (yet important) corner of the world could use some more focus. I don't expect mainstream VB.net style conference to cover software security in depth, I am hopeful that leading edge conference (like JAOO) will devote tracks and in depth sessions to software security, becuase they are by far the best positioned to solve these issues; security people cannot solve these issues alone, software people have to help.
Posted by: Gunnar | July 23, 2007 at 01:13 PM
This to me sums up exactly why in 2007 we are still seeing shit code being produced. Yes a small handful of developers understand the need for secuirty in the SDLC, but if a conference like JAOO doesn't, then what hope is there?
I like your idea about us putting a tent outside, it's got me thinking :)
Daniel
OWASP
Posted by: Daniel | August 10, 2007 at 10:16 PM