« Pragmatic Speculation | Main | SOA, Web Services, and XML Security class in Twin Cities »




Re: Microsoft security push

Don't you think that it is about time they got serious? Good for them. It is especially refreshing to see that the influence of some of their famous security people is being felt - finally, after all these years. Some of those people have track records of building proveably secure, state of the art systems. It is about time that they started listening to them.

Re Maybe security is not fun?

For most, it is not. For one thing, it is hard to get right and it takes a lot of work, dedication, and discipline. All things that open source could stand to learn.

For one thing, the apparent open source idea that people can merely whip up things in their basement without regard to requirements and long-established ways of doing things has to die.

Open source has to learn to develop trustworthy implementations that are proveably secure. That means, among other things, complete control over the SDLC and the complete methodology that this requires - heavy-weight as that may be.

Open source has to learn some basics. They are not complicated. They are simply hard to get right because they take discipline and dedication to it that open source has lacked in the past.

While there is hope, by in large, interest in proveably secure and trustworthy code, applications, and systems remains to be seen. Until open source is serious enough to do security by design and to use the methodologies that are required, there won't be any security.

Though security can be fun, it is pretty hard work for people who are used to coding up ther latest wet dream and trying to foist that on the world as the right way to do things.

The comments to this entry are closed.