Re: Standards for developing secure software

I like it, when talk comes to the choice of language. Unfortunately, most of the time a few points are overlooked which I find are most important. Features of different languages and technologies are compared without looking at the cause of failure of most projects and software development:

• The coice of technology is most seldom done on the question of what is best for that specific task. Either it is done by marketing (MS Partners will not choose anything without MS logo on it), or it is chosen by the management (We choose Java since everybody talks about it and I don't want to risk my head), or it is chosen by the first developer in project (I always used C++ and everything else is crap and my ego does not allow me to use anything else.)
• The architecture of projects is most of the time either not done and the coding of the project starts ahead of any architecture because of deadlines or it is done by a not so much experienced developer.
• Security is not a feature, since it is not needed for the business rules and in a demo for the customer, he won't notice if any security measures are in place or not, but he sees if things run like he want's them to. So first the project is made to run and generate results as needed and then in the last three minutes before end security is added. Many times even after the most testing is done on the code...

I could go on like that, but I think I made a point :) Even my list above may look a bit sarcastic. I have seen all of those scenarios more than once.

I think you have to choose the technology and language according to the environment and task you want to do. Security can be built and enforced with every language and most probably within every technology. Java can be fast, PHP can be fast, C++ can be slow. It's all about knowing and the respective environment one uses the language and technology in. There is only one pitfall: you need to know what you do to do so...

Regards,
Adrian Received on Fri Jan 24 13:40:04 2003