Why is it that many developers aren’t interested in Security ?


My team (The Microsoft Developer Community Champions) changes the content for our events every eight to twelve weeks. We have a marketing guru on our team, Amy Babson (one of the few marketing people who really rock), and Amy evaluates all kinds of statistics about developer event attendance and feedback.


 


In March and April MSDNEvents was all about developing secure applications. The statistics for those months have revealed an interesting anomaly. The first part is that attendance was comparatively low. Much lower than our current attendance for sessions on Application Blocks, Reporting Services, Whidbey, & Yukon.


 


This surprises me as my “How Hacker’s Hack Session at TechEd” was the 2nd highest breakout attendance at the event this year.


 


Several of my regular attendees have mentioned to me that their management did not think attending sessions on writing secure code were effective use of their time. The same manager’s recognized the importance of getting a preview of the next generation of developer tools and database technologies from Microsoft.


 


The second surprise is that while attendance was lower than we expected, the Developer Satisfaction scores for the events were some of the highest that MSDN has ever had. The developers who came to the events loved what they learned and the testimonials had lots of comments that indicate those lessons will change the way they write code.


 


I think that developers tend to perceive application security as a network administrator problem. This perspective has proven to be wrong and unsuccessful. I think the science of writing secure applications is not only one of the most important developer topics of the day, but also one of the most interesting.


 


I plan to focus my summer web casts primarily on Security for developers this summer.


 


So please tell me, what areas are you most interested in and why do you think managers and some developers seem disinterested in Developing Secure Applications.


 


Comments (9)

  1. Phil Scott says:

    We offered Security for Developers training in the past, but have since stopped putting it on the schedule due to lack of demand. Sigh…

    What’s strange is the looks and interest that come from developers and admins alike when I demonstrate something as simple as SQL Injection attacks.

    You aren’t going to find any "Learn x in 24 hours" books that devote even 3 minutes of those 24 hours to security

  2. Anil John says:

    I really don’t think it is a lack of interest in Security as much as an emphasis on the future technology… Security is not sexy.. But Avalon/Indigo/Whidbey, Oh My! 🙂

    I wrote about this some time back @

    http://cyberforge.com/weblog/aniltj/archive/2004/03/06/351.aspx

    This is also, I like the work that the PAG is doing as they focus on current shipping technology.

    http://cyberforge.com/weblog/aniltj/archive/2004/04/25/479.aspx

  3. Paul Murphy says:

    If you really want to hit a weak spot, you could talk about deploying code access security policies.

    I second the attendance phenomenon. It’s interesting – I would think most managers would value code security over "futures" any day of the week.

  4. Joe Stagner says:

    Anil,

    I totally agree. I LOVE the work that the folks in PAG are doing.

    Their Security Books are super and I’m reading their forthcoming Scalabilty book now.

    Thanks for commenting.

    Joe

  5. Roger Heim says:

    Anil, the reason security isn’t sexy is, I think, because it’s one of those things that’s not really noticed unless it’s not done well (or at all.)

    Roger

  6. Scott Allen says:

    There exists a percentage of programmers and managers who simply believe security is not important for their specific application. They develop intranet applications behind flawless corporate firewalls in a company where all the employees are trusted individuals like judges and nuns. Some of these people just don’t know any better and you have to hit them on the head before they will listen. Others you’ll never convince until something goes wrong.

  7. "Why is it that many developers aren’t interested in Security ?"

    Beacuse they don’t understand it. Most of the developers in Microsoft are (sorry) aren’t good enough to understand what they are doing. They think they are but they aren’t… Some developersa think they can make cool application only by knowing how to access a database, but have no ideas about threats. How can Security be an interesting topic if they don’t know security?

    //Johan Normén

  8. I went to one of the MSDN security days, I wasn’t very happy about it. I blogged about it here:

    http://www.ibbotson.co.uk/peteri/index.php?/archives/15_Security_summit_is_a_bust_part_2.html

    bearing in mind that two of us in different countries agreeded on this, there is something rotten. I certainly wouldn’t send any of my developers along for a rerun of the same material.

    Personally I thought the whole thing was organised wrong. I think I’d prefer something on how to do SQL security properly starting with say a simplistic phonebook type app then lock it down and secure it.

    I also privately beat up somone at microsoft uk over this at one of the ISV strategy days (didn’t want to say anything in public as some training is better than none)

  9. Mery says:

    Your site is realy very interesting. http://www.bignews.com