Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Application Insecurity --- Who is at Fault?

From: "Yousef Syed" <ysyed () dial pipex com>
Date: Mon, 11 Apr 2005 13:17:50 +0100
Further to the Bridge Example (and any other construction); there is a great
deal of external oversight involved here. 
The plans will be submitted to the planning departments, and building
control of the local council (at least in the UK). They will be scrutinized
by these external systems long before any planning/building approval is
given to the project to even begin. [Are the foundations deep enough. Will
the soil support those foundations? Is there access to the Sewerage system?
Are there enough Fire Exits etc. To civic issues - Are you cutting down too
many trees? Is there enough parking for the proposed use? Etc.]. Plans will
be sent back and forth to the Architects until they are satisfied.
When the initial foundations are laid, someone will come from the council's
planning department to oversea this and make sure that the correct
consistency of cement is used and the correct depth is dug etc. 
Numerous different regulations need to be satisfied before and during the
construction project. 

Software projects are way behind that level of oversight!

Ys
P.S. My dad is an Architect, so I spent MANY Summers on building sites, in
my youth... :-)
--
Yousef Syed


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Edward Rohwer
Sent: 10 April 2005 23:01
To: [EMAIL PROTECTED]; 'Margus Freudenthal'
Cc: 'Secure Coding Mailing List'
Subject: RE: [SC-L] Re: Application Insecurity --- Who is at Fault?

 I my humble opinion, the bridge example gets to the heart of the
matter. In the bridge example the bridge would have been design and
engineered by licensed professionals, while we in the software business
sometime call ourselves "engineers" but fall far short of the real,
professional, licensed engineers other professions depend upon.  Until we as
a profession are willing to put up with that sort of rigorous examination
and certification process, we will always fall short in many area's and of
many expectations.

Ed. Rohwer CISSP

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Friday, April 08, 2005 10:54 PM
To: Margus Freudenthal
Cc: Secure Coding Mailing List
Subject: [SC-L] Re: Application Insecurity --- Who is at Fault?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Margus Freudenthal wrote:


Consider the bridge example brought up earlier. If your bridge builder
finished the job but said: "ohh, the bridge isn't secure though. If
someone tries to push it at a certain angle, it will fall".


Ultimately it is a matter of economics. Sometimes releasing something

earlier 

is worth more than the cost of later patches. And managers/customers are

aware 

of it.


Unlike in the world of commercial software, I'm pretty sure you don't 
see a whole lot of construction contracts which absolve the architect of 
liability for design flaws.  I think that is at the root of our 
problems.  We know how to write secure software; there's simply precious 
little economic incentive to do so.

- --
David Talkington
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCV24Q5FKhdwBLj4sRAoC9AKCb6j5dKOLgFwDMuVa8giSbMvmW2gCfdwn7
QcS6J7NVPFsISzhLoBgQWHM=
=0ZSy
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: