Why is it that many developers aren't interested in Security ?
My team (The Microsoft Developer Community Champions) changes the content for our events every eight to twelve weeks. We have a marketing guru on our team, Amy Babson (one of the few marketing people who really rock), and Amy evaluates all kinds of statistics about developer event attendance and feedback.
In March and April MSDNEvents was all about developing secure applications. The statistics for those months have revealed an interesting anomaly. The first part is that attendance was comparatively low. Much lower than our current attendance for sessions on Application Blocks, Reporting Services, Whidbey, & Yukon.
This surprises me as my “How Hacker’s Hack Session at TechEd” was the 2nd highest breakout attendance at the event this year.
Several of my regular attendees have mentioned to me that their management did not think attending sessions on writing secure code were effective use of their time. The same manager’s recognized the importance of getting a preview of the next generation of developer tools and database technologies from Microsoft.
The second surprise is that while attendance was lower than we expected, the Developer Satisfaction scores for the events were some of the highest that MSDN has ever had. The developers who came to the events loved what they learned and the testimonials had lots of comments that indicate those lessons will change the way they write code.
I think that developers tend to perceive application security as a network administrator problem. This perspective has proven to be wrong and unsuccessful. I think the science of writing secure applications is not only one of the most important developer topics of the day, but also one of the most interesting.
I plan to focus my summer web casts primarily on Security for developers this summer.
So please tell me, what areas are you most interested in and why do you think managers and some developers seem disinterested in Developing Secure Applications.