Why is it that many developers aren't interested in Security ?
My team (The Microsoft Developer Community Champions) changes the content for our events every eight to twelve weeks. We have a marketing guru on our team, Amy Babson (one of the few marketing people who really rock), and Amy evaluates all kinds of statistics about developer event attendance and feedback.
In March and April MSDNEvents was all about developing secure applications. The statistics for those months have revealed an interesting anomaly. The first part is that attendance was comparatively low. Much lower than our current attendance for sessions on Application Blocks, Reporting Services, Whidbey, & Yukon.
This surprises me as my “How Hacker’s Hack Session at TechEd” was the 2nd highest breakout attendance at the event this year.
Several of my regular attendees have mentioned to me that their management did not think attending sessions on writing secure code were effective use of their time. The same manager’s recognized the importance of getting a preview of the next generation of developer tools and database technologies from Microsoft.
The second surprise is that while attendance was lower than we expected, the Developer Satisfaction scores for the events were some of the highest that MSDN has ever had. The developers who came to the events loved what they learned and the testimonials had lots of comments that indicate those lessons will change the way they write code.
I think that developers tend to perceive application security as a network administrator problem. This perspective has proven to be wrong and unsuccessful. I think the science of writing secure applications is not only one of the most important developer topics of the day, but also one of the most interesting.
I plan to focus my summer web casts primarily on Security for developers this summer.
So please tell me, what areas are you most interested in and why do you think managers and some developers seem disinterested in Developing Secure Applications.
Comments
- Anonymous
June 13, 2004
We offered Security for Developers training in the past, but have since stopped putting it on the schedule due to lack of demand. Sigh...
What's strange is the looks and interest that come from developers and admins alike when I demonstrate something as simple as SQL Injection attacks.
You aren't going to find any "Learn x in 24 hours" books that devote even 3 minutes of those 24 hours to security - Anonymous
June 13, 2004
The comment has been removed - Anonymous
June 13, 2004
If you really want to hit a weak spot, you could talk about deploying code access security policies.
I second the attendance phenomenon. It's interesting - I would think most managers would value code security over "futures" any day of the week. - Anonymous
June 13, 2004
Anil,
I totally agree. I LOVE the work that the folks in PAG are doing.
Their Security Books are super and I'm reading their forthcoming Scalabilty book now.
Thanks for commenting.
Joe - Anonymous
June 13, 2004
The comment has been removed - Anonymous
June 13, 2004
The comment has been removed - Anonymous
June 13, 2004
"Why is it that many developers aren't interested in Security ?"
Beacuse they don't understand it. Most of the developers in Microsoft are (sorry) aren't good enough to understand what they are doing. They think they are but they aren't... Some developersa think they can make cool application only by knowing how to access a database, but have no ideas about threats. How can Security be an interesting topic if they don't know security?
//Johan Normén - Anonymous
June 14, 2004
The comment has been removed - Anonymous
August 18, 2005
Your site is realy very interesting. http://www.bignews.com