[Owasp-singapore] Over half of all apps have security holes - Dodgy development practices blamed

Wong Onn Chee ocwong at usa.net
Mon Sep 27 06:17:46 EDT 2010


 Hi Claudio,

Good insight.

Should we update consumers that they have the right to sue a website
owner if the website is insecure and infects their visitors?
This way, the business folks will stop ignoring the value of appsec.
When their pockets are hurt, the business folks will move.

Perhaps we should run an awareness campaign to educate and inform
consumers about their rights.
I believe such a campaign benefits all infosec pros.
What do you think?


Regards
Onn Chee



On 09/27/2010 11:32 AM, Scarabello, Claudio wrote:
> The way I see it, poor development practices, training and/or education
> are merely symptomatic of a root cause related to business owners who do
> not establish incentives/metrics for developers to build secure apps in
> the first place. And that's because business owners do not set aside
> budget for security reviews/ secure development. Why would they? Risk
> responsibility is not well established in the dev phases: they can deal
> with it later. And, adding SDLC (for example) early on would only slow
> down/hinder the project plans.
>
> Regards, Claudio Scarabello
>
>
> -----Original Message-----
> From: owasp-singapore-bounces at lists.owasp.org
> [mailto:owasp-singapore-bounces at lists.owasp.org] On Behalf Of Wong Onn
> Chee
> Sent: Saturday, September 25, 2010 1:27 AM
> To: OWASP Singapore; security-77 at meetup.com
> Subject: [Owasp-singapore] Over half of all apps have security holes -
> Dodgy development practices blamed
>
>
>  http://www.theregister.co.uk/2010/09/23/web_app_security_audit/
>
> Some interesting questions for us to think about:
>
> - How were developers taught dodgy development practices?
> - Is something broken in how we teach developers?
> - If it is true that our developers are not taught in the right way,
> should we focus our efforts on the schools where developers are trained,
> instead of relying on OJT to learn about secure web app development?
>
> What do you think?
>


More information about the Owasp-singapore mailing list