2008/11/2 Robert Hajime Lanning <robert.lanning (at) gmail (dot) com [email concealed]>:
> On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed (at) gmail (dot) com [email concealed]> wrote:
>> Why isn't Quality Assumed?
>> Why isn't Security Assumed?
>> Why are these concepts thought of as add ons to Applications and Services?
>>
>> Why do they need to be specified, when they should be taken for granted?
> I believe one of the issues is, pride of ownership in the end product.
>
> A lot of the coding is now outsourced to cheap code houses. These people
> do not have ownership or attribution. They have no reason to take any extra
> steps, that are not specified in the contract. If it is not in the
> contract, they
> are not being paid for it.
I have to disagree with you there, even if you examine code that comes
from internally where they have pride of ownership there are many
security considerations which are only later applied to the product.
Many times it's the case that security aspects are tacked on later,
rather than being considered from the outset.
D.
blaze your trail
--
redhat
http://feeds.feedburner.com/GeneralMusing
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
> On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed (at) gmail (dot) com [email concealed]> wrote:
>> Why isn't Quality Assumed?
>> Why isn't Security Assumed?
>> Why are these concepts thought of as add ons to Applications and Services?
>>
>> Why do they need to be specified, when they should be taken for granted?
> I believe one of the issues is, pride of ownership in the end product.
>
> A lot of the coding is now outsourced to cheap code houses. These people
> do not have ownership or attribution. They have no reason to take any extra
> steps, that are not specified in the contract. If it is not in the
> contract, they
> are not being paid for it.
I have to disagree with you there, even if you examine code that comes
from internally where they have pride of ownership there are many
security considerations which are only later applied to the product.
Many times it's the case that security aspects are tacked on later,
rather than being considered from the outset.
D.
blaze your trail
--
redhat
http://feeds.feedburner.com/GeneralMusing
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-
[ reply ]