Shostack + Friends Blog Archive


"Want more Secure Software?"

SecurityFocus points to a nice short article over at suggests that

Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give vendors grief about tightening up their security procedures too.

John Pescatore, the analyst in question, nails it. If you want more security from your vendor, you’ve got to make it a buying criteria. If you want more security from your developers, you’ve got to make time for it in the schedule, and you’ve got to give them tools and training to know what to do. Better security isn’t hard, it just costs some money. Do you prefer to spend that up front, or on operations later?