The birth of "21 Myths of Software Security”
Security is a subject that turns many developers off. They often think that security is stuff that detracts from their productivity by making things too difficult, or they imagine that security is something that happens when the systems administrators get their hands on the application and it’s not their problem. So I’ve been thinking about the question of how can I get more people to take more than a passing interest in security, particularly from a developers / architects perspective. There’s plenty of material out there already, and Michael Howard’s book on "Writing Secure Code" is very good indeed, for example, if perhaps a little weighty for someone looking for that one hint or tip to put the final security touches to their application before they ship ;-) .
Anyway, last week I had a conversation in the speaker lounge at TechEd Europe with my good friend and colleague, Dave Gristwood, about his session on the “21 rules of software development”. Dave’s session, based on an original by Jim McCarthy (read Dave’s blog for more detail), takes a good humoured look at the software development process and offers 21 rule to help build software. So great was this inspirational chat with Dave that over the coming months I have decided to develop something on my blog I shall call: “21 Myths of Software Security” – original eh ;-)? I’m not quite sure how it will pan out, and I’m more than happy to take any input or suggestions, so let’s give it a go.
My intention is to post an entry on this topic probably no more regularly than once a week. Of course I'll do other posts in between on things I come across or I find interesting, typically on the topic of security for developers. With that in mind, by the end of this week, the first myth to examine will be...
“You know as much as a hacker knows”