Monday, November 05, 2007
Bob Blakely and Secure Coding
Bob is 100% correct in that if vendors adopt secure coding practices, it won't make much of a difference as the problem starts before even a single line of code is written. There is a subtlety that Bob missed in that he does ask vendors whether they have secure coding practices which is good but doesn't necessarily share it outside.
Imagine if there were an analyst firm report that outlined which software vendors didn't provide evidence that they actually use tools such as Fortify, OunceLabs, Coverity or others in this space and it wasn't just available by calling up an analyst but actually published under Creative Commons for all to consume. I suspect that it would make a significant dent in the challenges outlined in the paper.
The funny thing is that I wouldn't consider secure coding as something that leads to competitive advantage but more of table stakes. It should be expected that security product vendors are at least doing this and if us customers had more visibility / transparency then I suspect our purchasing decisions may change.
More importantly, Bob Blakely is one of the few analysts that I absolutely respect and love his insights. In many ways, his style is in your face similar to my own. I would speculate that he sometimes is moderated and often has to moderate himself. While others may not appreciate transparency, I am one that does.
Bob, even though you ask, I would like to see Anne Thomas Manes and her team also ask and publish whether vendors in the APS space are thinking deeply about security by investing in tools and practices. More importantly, I would love to see Guy Creese provide more insight into where enterprise security converges with ECM, where vendors are deficient and what steps they are taking to make things better...
Links to this post: