One of my primary motivations for attending the
On day one I attended David Rook aka securityninja 's talk titled "Injecting Simplicity not SQL". He compared educating drivers to teaching developers to code securely. His premise was, teaching developers to securely code by teaching them about hacking is like teaching safe driving by teaching how to crash. The analogy met with crowd approval but it is not one I would have made. We as a society haven't figured out how to teach people to drive safely, just check the number of fatalities each year We license drivers and we show them examples of the devastating results of unsafe driving. We limit the speed they can drive and enforce traffic rules. We hold drivers accountable when they act irresponsibly (civil, criminal or both). Doesn't matter, many people die.
Do we have any of the above controls placed on developers? License required? Held liable for poor code if it results in loss? Rules that must be followed which are enforced? I'm not advocating tossing coders in jail or implementing any of the other controls, particularly as it appears they do not work. What I am saying is we need to be careful about oversimplifying the problem and dismissing the concept of teaching developers where common weaknesses lay. Teach developers how to use a hacker tool? No. Teach them how an exploit works or how to write one? Maybe.
Perhaps a better analogy would have been to compare developers to the engineers who design the cars. What controls are in place when an engineer submits plans for development?
Overall, I thought the talk was good and despite my misgivings he had some statistical evidence that the methods he was employing to educate developers was working.
No comments:
Post a Comment