It just gets better and better! Twan points out a chap called Howard Schmidt who popped over from the US to tell the Brits how to do it. Number One prescription is to pin it on the individual developers:
Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, former White House cybersecurity advisor, on Tuesday.
Speaking at Secure London 2005, Schmidt, who is now the president and chief executive of R&H Security Consulting, also called for better training for software developers, many of who he believes don't have the skills needed to write secure code."In software development, we need to have personal quality assurances from developers that the code they write is secure," said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.
"They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But, when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say: 'Is this completely secure?'," Schmidt said.
Schmidt also referred to a recent survey from Microsoft which found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.
What can we gather from that? Well, approximately 64% of the people that Microsoft surveyed are honest, or at least weren't going to be caught by the obvious trick question.
This completely stinks of a manager's first order solution: see pile of smelly brown muck, blame the person standing closest. With this level of analysis, we can only thank our lucky stars that Schmidt didn't get promoted from cybersecurity advisor to Strategic Air Command or the captaincy of an Aegis cruiser.
Predictably the comments section on that article is full to bursting of outraged developers who are pointing out quite rightly that they don't own the code, don't own the budget, and don't own the managers. And the British Computer Society was on hand to remind how security is quite tricky stuff, really, thank you very much. Although I think they lost it here:
"...They should also be accredited with a CMM [Capability Maturity Model] standard - it's like a kitemark. CMM level three, four or five is an indication the software has been developed by quality developers," the BCS spokesperson said. "The software has to be shown to be fit for purpose. This is essential for producing a trustworthy online environment."
Oh well, thanks Twan for sharing with us what is causing giggles in mainland Europe.
Posted by iang at October 12, 2005 03:47 PM | TrackBack