Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 10 Apr 2003 09:07:41 -0400 (EDT)
It seems that the real power holder in the whole debate is perhaps that identity having been pointed to and referenced more frequently in recent rants on coding styles and such; the consumer. On that bent, perhaps a holding of breath for change to take place in forcing companies and their coders and such to pay more attention to the details of secureity and bounds checks and all, might well result in a number of purple heads/faces blowing up under-pressure. Afterall, we as a buying public still payout large sums of cash yearly for SUV's that almost need a direct link to a gas pump, roll over wiht slight twists of the steering mechanics to avoind obsticles, and do extremely poorly in crash tests. Even with seatbelts and airbags installed, under federal regulations. Thanks, Ron DuFresne On Wed, 9 Apr 2003, George Capehart wrote:
On Tuesday 08 April 2003 11:21 pm, Marcus J. Ranum wrote:Behm, Jeffrey L. wrote:<pet peeve> When will programmers begin (again) to do basic error checking? </pet peeve>It's sure as hell not because the tools don't exist. Even back in the late 1980's you had tools like Saber-C (now CodeCenter) that did huge amounts of runtime error checking. The tools are there and have been there; it's the "get it to market yesterday" mindset and the fact that a lot of software engineers are spoiled brats that have allowed the lunatics to take control of the asylum.<pre-rant> Yes, there are *many* tools to help write, trace, and clean code. There are also several Web sites, books, and, yes, even coding standards that deal with writing sane (and secure) code. There are even whole programs designed to impose good process on the whole system development life cycle (the Rational Unified Process, the CMMI and SSE-CMM come immediately to mind). And, back in the Dark Ages when I was actually writing code, I *knew better* than to take the shortcuts I was taking, but in the face of having to deliver a product yesterday, for free, I was put in the position of having to slam dunk a system. </pre-rant> <rant> It's my conviction that all of this is a management problem. If the business owner of the product/project or whatever really gave a rat's a**, error checking *would* exist in code. Or, even if the project manager . . . or the technical lead cared, there would be processes in place *at every phase of the SDLC* to identify and manage risk and control errors. We learned (relatively) long ago that the earlier in the SDLC we discover errors/mistakes/problems the cheaper it is to fix. Rhetorical question: When was the last time anyone was on a project where there was serious focus on identifying problems and fixing them as early as possible? Gotta say that I was recently on a very large project ( > 10^7 USD) for a very well-known company and the **_only_** focus was meeting a delivery date. An important point is that the delivery date had assumed a certain start date and certain resource level. The start date had slipped by several months and the staffing level was at less than half of the planned level. So, take a guess how much code review is going on on that project . . . Guess how much testing will be done. Guess how much detail *design* was done. Bottom line: Until business system owners (whether it be of an internal project or a product) are held accountable for the security, quality and performance of the systems for which they are responsible, programmers will continue to work 16-hour plus days busting their humps and *not* doing any more in their code than they absolutely have to because they don't have ***TIME*** to. </rant> My very cynical $0.02. Sorry . . . I get this way. Seems like the people who would care the most, care the least. Disclaimer: I work for neither Rational/IBM or the SEI.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)
- Re: tunnel vs open a hole Mike Frantzen (Apr 10)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Duncan Sharp (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 16)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
- Re: tunnel vs open a hole Gary Flynn (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)