Ok, I' ve managed to arrive in Amsterdam before 08:00 so I've plenty of time to blog now. The first coffee was great. Already I'm joined by Ilske, Carlo, Wim and Pascal.
I want to reflect on the pre- conference session of Tech-Ed 2004 of David LeBlanc on Writing secure code:
I really should read the book to make sure I understand everything David told me during his session. I do understand the need for threat modelling (although I don't support him in the way they model (DFD's yeaaagghh) (Why don't they use some UML model) but the problem is that is not quite scientific. When you ask how he really determins the threats, how you review for security it comes to human knowledge and hard labour. Not that it is a problem but it is an indication that myself, our developers, our testers, our analists and our managers need to invest to become a 'Thrustworthy' software deliverer.
I don't think many companies are eager to invest in something that is as fuzzy as 'Writing Secure Code'.
Primary Questions:
- Am I writing non-secure code now: (yes)
- Am I going to change my attitude to Thrustworthy computing: (I need to)
- Am I going to convince my colegaues (YES)
- Am I going to convince my management (I hope so)
Lot to think of