Wednesday, December 27, 2006
Do Outsourcing Firms understand Writing Secure Code...
The press release is carefully worded but does mention Fortify Software. Let's analyze it:
- Fortify SCA is expected to boost Wipro’s security and audit services by expanding its ability to assess its customers’ software development processes and recommend improvements when it comes to application security.
Notice it didn't say that it was going to be used to assess their own software development processes only its customers. I guess turning things into revenue making opportunities is a smart thing on Wipro's part but I question whether this actually helps customers actually write secure software. I am of the belief that for software to become secure, each and every developer within an enterprise needs tools on their desktop. A once-in-awhile drive-by audit done by outsiders will not help reach this goal. At best, it will provide meaningless metrics to IT managers who won't know what to do with them. I guess fear, uncertainty and doubt still sell security-oriented software.
Likewise, within this press release it also didn't mention any initiative to train all Wipro development staff in writing secure code, so for enterprises who outsource to Wipro, don't even get a second-hand lift by internal folks using the tools.
I wonder if folks such as Brian Chess and/or Krishna Srikanth can provide their own perspective on this? I know that Mary Ann Davidson of Oracle and Michael Howard and Dan Sellers of Microsoft both have strong perspectives against this type of approach...