Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secprog > 02 > 110100.html (Request Expert securityfocus.com Support)

Re: secprog Digest 18 Nov 2002 18:35:57 -0000 Issue 113

From: George Capehart <gwc(at)capehassoc.com>
Date: Fri Nov 22 2002 - 19:17:07 EST

David Wheeler wrote:
>
> > Before the rest of my response, I'd like to make clear that I believe

<snip>

I've bitten my tongue through the "bad developer library" thread on this list, but I can't stand it any longer. <rant> Seems to me there are several problems that contribute to the proliferation of insecure software. Certainly programmer ignorance is one. I agree 100%. Having said that, I really believe that if one of the criteria for hiring programmers was their ability to write secure code, the training institutions would graduate programmers who could write secure code. I have been in the industry a long time and have worked in and around many different organizations . . . from the very small to the very large. I have worked with/in software development firms, manufacturing companies, financial services organizations, county governments and everything in between. *Never once*, in the 21 years that I have been in the industry, have I heard a product manager, project manager or development manager place better over faster and/or cheaper. This translates out to: "To hell with doing it The Right Way (TM), get it done yesterday! Just get it working . . . we can fix it when somebody complains."

At one of my venues, I was a project manager on one project that had just finished getting the requirements and was beginning the design phase when, one day in March, the business owner of the system came to me and said, "On June 1, I'm going to pull the plug on the old system. The new one had better be ready." The old system did order entry, invoicing, inventory management and shipping. We got it done . . . but, for the next four years I had two people full time with their fingers in the dike, fixing bugs and "enhancing" functionality to make the system run.

At another venue, I was the technology program manager on a project to start up a Web site that did online financial transactions. Time-to-market was the only concern and the business owner of the system did not care about the risk he was assuming by pushing things on a fast track . . .

Based on the preceding two paragraphs, it would be easy to "blame" the the "pointy haired managers" for not caring about the lack of security that their insistence on haste engenders. In the end, though, I believe it is the customer who ultimately defines the level of security that is built into systems. Customers get what they are willing to pay for. Educated customers who require top quality, secure products get them. Windows customers get what they deserve. Personally, I want to deliver the best possible product I can. There are many companies that do so. There *are* six-sigma companies. These companies operate in spaces in which their customers are educated and have a point of reference. What point of reference does the average Windows user have? Windows. What point of reference does the average pointy-haired manager have? Whomever yelled loudest at him. The rest of the argument is left as an exercise for the reader.

So, is there any mystery that there is no emphasis on secure programming in the educational process? Who cares? The employers? Who is sophisticated enough to demand and recognize secure software when it bites them? Not the pointy-haired manager. Not the average Windows user . . .

Do you need help?X

So, when will we see secure software? A) in the isolated shop that that takes a craftsman's pride in delivering a top quality product, and/or B) when consumers demand it. For now, I'm looking for A. </rant>

gwc 

--
George W. Capehart

Capehart Associates LLC                         Phone:  +1 704.678.1660
1604 Nottingham Drive				Fax:	+1 704.853.2624
Gastonia, NC  28054

"We did a risk management review.  We concluded that there was no risk
 of any management."  -- Dilbert
Received on Mon Nov 25 15:27:33 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library