"'Developers don't know shit about security'. That may very well have been the most retweeted quote from the 2011 #OWASP Summit." That is a quote from a blog from a big name at the OWASP Summit.
It is an interesting read for sure. I am not sure how to take it. I guess at first I was a little shocked and humbled that InfoSec folks make fun of devs like me. I do realize we know so little about security and they know so much. And I appreciate the blog's point that InfoSec folks should learn more about software development and our unique challenges to get product out the door. But to hear that I am part of a running joke (outside of the ones I know about in my own office)...that stung. And it reminds me how much work we have to do.
I still insist it is all about educating the developers. I didn't know what I didn't know, until I decided to study up on it. 95% of the devs won't study up on security when LINQ, HTML 5.0, and lots of new and sexy technologies are there to learn. We are good at learning the tools of our trade. Security? Isn't that what InfoSec is FOR?
We aren't bad people, or lazy...well for the most part. We put our best foot forward and want to make a good, sellable product. We want the glory. Show me a negative headline with my name in it and suddenly I will pay attention. Show us how the dev down the street, from our own user group, got bitten and now their company is under fire in the press and by customers or shareholders. Whoops! Wake-up call!
It is going to have to come from the developers since we won't listen to InfoSec folks (they don't get us, they just want to box us in, etc). I can't do this alone. Are you willing to step into the gap and point out the elephant in the room?