Security

I understand, The difference is, I am a software engineer, security isn't all that I think about. But by the same token it's not something that enough developers think about.

Ron Beyer wrote:

Sounds like a computer use policy to me, easily fixed by editing the security policies on the computer.

Absolutely it's a computer policy use issue, however, the point was/is. How many companies really enforce, have proper policies in place? With the prevalence of BYOD. employees accessing private E-mail, my point was simply was/is developers shouldn't entirely leave the decision up to Network OPS, or IT to enforce security behind, firewalls. a BYOD or an E-mail could exploit a security hole in your "internal" application to make it's data external pretty quickly. I am still very much a developer as much as a security person today, I just develop security centric solutions to help the rest of the development team.

Ron Beyer wrote:

Microsoft and big companies take the same road and for good reason

Not really, perhaps that's what Microsoft used to do, however they've drastically changed their practices.

That's not really it at all. I fully understand, that not all software requires some form of security. But that should simply not negate the thought or the process. It's a balancing act, between cost, usability, performance, resources. Nobody has just 1 security hole in their system. IF folks take the attitude, oh it's not our problem, we rely on something else, our software doesn't need it, we're not big enough to get hacked their isn't enough motivation. It just screams of naivety. It's an attitude that needs to change, especially, as more apps move away from the desktop, to the cloud, or onto mobile devices. Or employees bring in, usb drives, download e-mail attachments at work.

That's absolutely awesome...typical, but awesome.

Ron Beyer wrote:

If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.

- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.

LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.

Cornelius, why don't you post a question in the questions. Or get in touch with me Here and I'll be happy to help you out.

That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.

Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?

The Kitchener-Waterloo OWASP Chapter has been founded we are having our first meeting on Tuesday February 26th 2013, 6:00-8:00pm Location: Morty's Pub (Basement) 272 King Street North, Waterloo Ontario Colin Delaney - Security Manager from McAfee Anti Virus - will be presenting. If you're interested in security, interested in OWASP or just interested in connecting with other professionals in general this is an AWESOME opportunity for you to come out. If you're not from the K-W but have colleagues/friends who are, spread the word. Chapter URL https://www.owasp.org/index.php/Kitchener/Waterloo\[^\] Email·View Thread·Permalink·Bookmark | Edit·Delete

Complexity is a very hard thing to gauge, because an equal component in the equation is when is it complex but "good enough" and that is a slippery slope. It seems the general public is willing to accept the first the latest and the greatest providing that it is the latest and greatest with all it's bugs. Consider the iPhone 5 & their mapping trouble. If you're not the first to market in this "era", with your bugs, it seems your idea & your technology is Dead on arrival. I've seen plenty of applications demo'd that solve some major defects in facebook, but I bet you couldn't tell me 1. The reason being with all their bugs and all millions of users accept facebook. So if I could define complexity.... I wouldn't be hanging out on code project on a Wednesday night.

In Canada there are a lot of government programs to drive innovation and design and technology. So in my experience what happens, is companies hire a bunch of engineers to engineer this killer product and then suck at bringing it to market! One really has to wonder why that is, in the years of my professional experience, companies need early adapters of their technology. These early adapters need to buy the product invest money in the development of the product so the company can meet the needs of the early adapters while continuing to hammer out a better generic product for wide spread consumerism. I find this especially true in the IT sector. Monetization to me, means taking all you engineering, which is funded through private/angel/VC investors or government R&D funding or grants and developing a plan to sell or generate revenue from your engineering efforts. Even once you've developed a plan it doesn't always materialize overnight. The difficulty is, you can hire smart, ambitious university graduates cheap to drive you engineering, the problem with that is they're ambitious and they're cheap (I Know I used to be one). So you have to hire some seasoned engineers to lead and drive the product & process, the problem there is they're not so cheap, the complexity of your product determines the ratio of seasoned vs graduate engineers that you need. When you find an early adopter who will buy your product, now you really struggle because you need their money, but you can't customize to much otherwise you end up with a product only they can use, and therefore you're just a glorified consulting shop milking off of your early adopter (I've experienced this ). You never actually get to develop the general product which will allow you to see real cash flow. The biggest struggle for any young startup is to keep enough revenue, allowing them to keep their staff, especially senior staff in place while they goto market at the same time as remaining generic enough to be marketable to more then your early adapters of your technology. If you can manage that you'll become a millionaire.

I've never gone as low as designing boards. But I have worked for a number of startups and folks that had bright ideas here are my experiences. First company I worked for - the PYXIS innovation, amazing company, worked with the best president & met the smartest man I ever programmed with there - He's a mgr at Google now. They had an excellent idea & product solving many problems of the modern GIS environment & allowing military, scientists, GIS, to make informed excellent ideas. - The problem, company laid me off 4 times, Things have turned into a 10 yrs R & D exercise. Excellent technology - lack issues bringing it to market, paid well when I was working, when I wasn't working and volunteering my time during funding rounds - got behind in my bills had trouble catching up. Worked for a GIS - Researcher in Calgary, he dreamed of turning his research into a company, trouble was he used his research grant money for that, big no no. Padre Software - Worked for a great company, great employers, trouble was no room for career growth as it's still a small company. My experience it's the majority of the small companies doing true engineering and building things and stretching the limits of technology, at least in Canada. The larger companies are build, monetize, maintain. Not so much engineering. I'd love to work for a smaller company and do great things, the issue is in my experience they can't afford the level I am at these days like the larger companies can. I don't have the money to run my own start up.... Then there is the whole monetization thing which tends to kill companies..

We're an OWASP chapter just getting going, pretty much down the highway from Code Project's headquarters. I figured a lot of Canadians & hopefully around K-W use this site. So why not reach out to them? We're a developer community interacting with another developer community. Given that K-W is dubed the "Silicon Valley" - North there's a lot of potential I see here :D

The Kitchener-Waterloo OWASP Chapter has been founded we are having our first meeting on Tuesday February 26th 2013, 6:00-8:00pm Location: Morty's Pub (Basement) 272 King Street North, Waterloo Ontario Colin Delaney - Security Manager from McAfee Anti Virus - will be presenting. If you're interested in security, interested in OWASP or just interested in connecting with other professionals in general this is an AWESOME opportunity for you to come out. If you're not from the K-W but have colleagues/friends who are, spread the word. Chapter URL https://www.owasp.org/index.php/Kitchener/Waterloo[^]

Chapter URL https://www.owasp.org/index.php/Kitchener/Waterloo[^]

Well Technically if you're focusing on Mono Game, Windows 8 - Metro is the new desktop, HTML 5 + javascript apps no longer require exclusive web.They can be "Metro Desktop apps" - If one considers the what I'll call true desktop. Then I'd be much more interested in seeing something like this work and be useful in Dx 11. I might even use it if it were available.

The Kitchener-Waterloo OWASP Chapter has been founded we are having our first meeting on Tuesday February 26th 2013, 6:00-8:00pm Location: Morty's Pub (Basement) 272 King Street North, Waterloo Ontario Colin Delaney - Security Manager from McAfee Anti Virus - will be presenting. If you're interested in security, interested in OWASP or just interested in connecting with other professionals in general this is an AWESOME opportunity for you to come out. If you're not from the K-W but have colleagues/friends who are, spread the word.

I don't really want to shoot your idea in the foot because I spent 6 weeks developing a retro style space shooter in MonoGame which rocks. However I have to question the wisdom in it. XNA is a DEAD technology. MS won't be supporting it and is moving to DX 11 on their 720 & new Windows 8, so why waste your energy? Learn HTML 5, use javascript & the canvas if you want to target specifically windows 8. Use DX 11 for everything else.

Espen Harlinn wrote:

What I don't figure is how shareholdres think: How can a person with a maximum attentionspan of 5 minutes, and who is by the way proud of it, be trusted to run something as complex as a corporation?

LMAO! So true, I have had 1 to many a manager & CEO like this.

Espen Harlinn wrote:

They need to get the idea that they are, or rather the company is, in fact often legally resposible - and that when the sh*t hits the fan the costs may reach astronomical figures, depending on who your customers are, the severity of the case, and under what agreeement your company did the work.

Not many companies get it & managers really get it, I think this is especially prevalent in a tech start up industry or where startups are coming and going, everyone figures we'll get to it later and hope for the best. Before I got some learning & no I don't mean university. I wrote some pretty terrible security vulnerable code for startups. I shudder to think that it's still in production or some of them are actually using what I wrote. This problem is all to common. Even our colleges and university to a poor job of teaching secure code and secure coding techniques to their students, and therefore the vast majority of them no nothing of it. The reason to educate the dev community. Is it's the devs that are eventually going to make it to manager! *shudder* so if they're not thinking about it now! Ugh. It'll be never!