If there is a process that requires minimal amounts of resources, saves money, and creates robust code, what will it take to increase adoption?
There were many answers, but they were all summed up succinctly in 4 options.
1. People are killed, and a lack of a secure coding methodology is directly to blame.
2. Companies go bankrupt, and a lack of a secure coding methodology is directly to blame.
3. A nuclear power plant has a catastrophic meltdown, and a lack of a secure coding methodology is directly to blame.
4. Compliance forces adoption.
I found these dramatic and macabre options disturbing, so I asked, "Is there no business case for secure coding? No cost saving analysis? No risk management prescription?" The consensus in the room was that my suggestions, while potentially possible, weren't going to persuade anybody to break from the status quo. Interestingly, the only factor that seemed to have complete persuasive power was Compliance. In this particular audience, the threat of fines was more of a motivating stick than I've ever seen previously.
In March 2010, Errata did a study asking people what reasons they had if they were not using a secure development lifecycle. By far the most popular answer was resource constraints. The 4 options above would imply that, at least according to security folks, the reason people do not adopt secure coding is because of some black and white risk assessment telling them they are not in danger. So, does this mean that the people in the study aren't being honest with themselves, or that security professionals are out of touch with the motives of the development shops?
