The Sorry State of Secure Software Development?

We Can’t Even Get The Basis Right? Functionality first, security second.

We build bridges that meet general safety standards … We build cars which have safety embedded into every part of the design and manufacturing process … We define standards which keep our food safe from disease … But do we do the same for the creation of our software world?

Few other industries would get away from such poor regard for the safety of the citizen. Imagine if you asked a bridge designer, “Why didn’t you put bolts in the girders?”, “Well, you didn’t ask me too!”, “But, the bridge fell down!”, “Well, you should have told me that not falling down was a requirement!”.

As an industry, computer security doesn’t quite use evidence-based approaches as much as others. Often it is a “Dev Ops just don’t work well with Sys Ops”, and with little the way of real evidence to define that this is the case. But new research — from the University of Bonn — actually delves the knowledge of security within the development process [here]: