One thing I have noticed in consulting and especially training, is that people who are right out of school in the early 20s, who literally "grew up digital" have a very different set of assumptions about risk and mitigating it. In fact in my experience its a 180 from how most of us in the profession look at it.
I remember Kim Cameron telling a story about reification where young people would see a physical folder and recognize it as "oh that looks just like what I see in my OS", if what I have seen so far training programmers and security people, is a reflection of overall reality, we might just be in for a great change. When digital risks are presented to someone with say a lot of experience they sort of look as the computer and data as an abstract thing. Separate from their world. When the facebooker generation are presented with the notion that someone may want to steal/alter/tamper with their identity and data - its like "whoah! ru serious?!? srsly how do i stop them?!?" Its not a reach at all to get them to see digital assets as assets and value in digital assets.
So the two things I can see coming out of this is that the increased awareness of digital asset existence and value, should lead to an increased ability to try new mechanisms. We likely don't need to be limited to robotic (cue robot voice and body movements): "We must stick to only. Username. And password. And NW Fierwall. That. Is. The only thing our users. Are Capable of."
It will be interesting if this proves true, because if it is its a game changer on many fronts
I have a different experience than you, among young Java Developers. For the most part, they want to 'code it and see how it works', and are completely unfamiliar or disinterested with measuring design or security robustness and integrity thru the use of (say) Static Analysis tools.
Where I work, it is the experienced developers who were doing big projects in C during 1985-1995, seeing big buggy always-crashing software projects canceled due to not using memory-leak detection tools, who are BY FAR the most receptive to software security measurement.
I admit this is a tangent to your post, but I find this 'generational' or professional-experience difference very interesting. Is there a current analog for messy big projects in C from that era?
Posted by: Brian | April 03, 2009 at 09:50 AM