comments (not for humans)

John Wilander published a post on "Security People vs Developers", where he adressed the "Developers don't know shit about security" mantra that keeps popping up in security talks on conferences.

Let me first say I'm biased. I work as a developer, but I'm also on the board of OWASP Norway.

Who is your target audience?

When I first heard this phrase in an appsec talk, I was surprised and annoyed. And I've seen it multiple times since (no, I won't mention names).

What really puzzles me is that either these presenters are just singing to the choir, or they seem to be mocking their target audience. If developers are your target audience, why do you think this approach will work. Would a vacuum cleaner salesman say: "You don't know shit about vacuum cleaners. Please buy my product"

I think there are developers out there that know little or nothing about security. I think that are developers out there that know quite a lot about security, but choose to ignore it, because they are pushed on time and functionality.

I think there are appsec people out there who know very little about development. Just like how appsec is in change because new attacks (XSRF, DOM-based XSS, clickjacking) are discovered, how we develop software is in constant change (automatic testing, convention-driven frameworks), and agile has been a driver for many of these changes.

And there are probably many people out there who know both appsec and development very well. Dinis Cruz and Mark Curphey comes to mind.

"Software Priorities According to Developers"

John published the following list of software priorities according to developers, and if you read his reasoning, it's hard to disagree.

  1. Functions and features as specified or envisioned
  2. Performance
  3. Usability
  4. Uptime
  5. Maintainability
  6. Security

Security does not come for free, and if you weigh security against the other elements in the list, I think a lot of users would agree with John. Very few would choose one product over another if it had superior security, but lacked important functionality.

Some argue that security touches a lot of the other items in the list. But I'd say that's true for several of the items in the list. Performance can dictate that a function needs to be implemented in a specific way. And the same thing definitely holds for usability.

I like to compare security to insurance. It costs, and will probably not earn you any money, but it might keep you from losing them.

What do you think?

How do we bridge the gap between appsec people and developers?

More on this topic

Comments closed for this post