Not calling the developers 'morons' is a good start :)
Seriously, you have to change culture. People have to realize that the
quality of their design, code, tests and documentation is paramount.
Once people accept a culture change like this, everything becomes pretty
easy.
So the next question is how do you change the culture? Simple - you hit
the top brass, this is what we did here at Msft. My group started making
its best progress when we had buy-in from billg and steveb, and the
other senior execs.
Now it's a no-brainer.
[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard
[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074
-----Original Message-----
From: Yvan Boily [mailto:yboily@seccuris.com]
Sent: Monday, August 30, 2004 10:45 AM
To: secprog@securityfocus.org
Subject: "Selling" a code-audit.
One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity,
however
on almost every single code audit I have participated in I have received
hostile responses from the development team. I have tried a variety of
approaches to develop a stronger rapport with the development team,
however
in spite of my best efforts I find that going into a code audit I am
already
fighting against preconceptions about why the code audit is being
performed.
I understand that many people feel threatened when work they have done
is
criticized; what I need to know is how I can minimize this and coax the
development teams into being more interactive than defensive. Any
pointers?
Yvan Boily
