Day two of TechEd

Ok, I' ve managed to arrive in Amsterdam before 08:00 so I've plenty of time to blog now. The first coffee was great. Already I'm joined by Ilske, Carlo, Wim and Pascal.

I want to reflect on the pre- conference session of Tech-Ed 2004 of David LeBlanc on Writing secure code:

I really should read the book to make sure I understand everything David told me during his session. I do understand the need for threat modelling  (although I don't support him in the way they model (DFD's yeaaagghh)  (Why don't they use some UML model) but the problem is that is not quite scientific. When you ask how he really determins the threats, how you review for security it comes to human knowledge and hard labour. Not that it is a problem but it is an indication that myself, our developers, our testers, our analists and our managers need to invest to become a 'Thrustworthy'  software deliverer.

I don't think many companies are eager to invest in something that is as fuzzy as  'Writing Secure Code'.

Primary Questions:

- Am I writing non-secure code now: (yes)

- Am I going to change my attitude to Thrustworthy computing: (I need to)

- Am I going to convince my colegaues (YES)

- Am I going to convince my management (I hope so)

Lot to think of

 

Published 06-29-2004 9:08 AM by Rene Schrieken

Comments

# re: Day two of TechEd

I kind of like DFD's :)

But then again I program a lot more in a procedural way as in a OOP way.

Tuesday, June 29, 2004 9:55 AM by Rene Schrieken

# re: Day two of TechEd

Of course for procedural stuff DFD's are OK but I think it is some what strange that MS is actually analyzing Office components (objects, activex stuff) with DFD's...

Tuesday, June 29, 2004 4:05 PM by Rene Schrieken

# re: Day two of TechEd

The First Question before the Primary Questions: Is a customer willing to pay for Writing Secure Code for all applications (not yet)



Tuesday, June 29, 2004 9:22 PM by Rene Schrieken

Leave a Comment

(required) 
(required) 
(optional)
(required)