Minnesota governor Tim Pawlenty has ordered an audit of all state web sites (registration required, see BugMeNot.com). This is in response to the audit findings I wrote about last night.

Wow. A bold and necessary step, but probably an unfunded mandate. This will make the governor look good, but I am worried that the audit won’t have nearly the resources that it needs to be done properly — and that it will result in knee-jerk overspending such as hiring consultants for quick fixes. We don’t need quick fixes, we need software development processes that incorporate security planning and assessment. On the bright side, I’m willing to bet that where there are security problems, addressing a few issues (quick fixes) will have big impact on existing apps, so a deep audit won’t be necessary. Low-hanging fruit and all that.

There are at least a couple things preventing more secure development: apathy and lack of funding. I say apathy because security is something to which people pay lip service but do not even attempt to understand. Because of that, it’s easy to point to a lack of resources to address security properly. Developer training is sadly lacking (this is true throughout the industry, and we do a terrible job integrating security in computer science curriculum) and security is not addressed throughout the development lifecycle — which ends up being more expensive.

I’ll write a lot more about this later. Were I not putting the finishing touches on handouts for next week’s presentation, I’d write more now.