I read an interesting e-mail from CIO today: Should security be moved out of IT? That prompted me to wonder if security should be moved out of software development. Quality has been. It seems that the two areas are different sides of the same coin. We do not write 100% defect free code. It is not possible, I think, to do so. That is why quality was moved out, I think. Is it possible to write 100% secure code? Probably not. I would think that this means that security should be moved out also. If anyone has been doing so I would be interested in hearing about their experiences: good or bad. Should it just be taken for granted that we all should write secure code? Regardless of the application, its audience, or its uses? I think if it is not, it should be.
The company I work for, RamSafe, write applications that deal with security, emergency response, and disaster planning so maybe I am being just a bit naive. I have always TRIED to write secure applications but never really concerned myself so much with secure code. I know about cross-site scripting and SQL injection, of course, and prepare for them at the application level but I don't deal with code access security as much as other developers do. Is code access security the final plateau or just the beginning? Can we take it farther?