Secure Coding mailing list archives
BSIMM: Confessions of a Software Security Alchemist(informIT)
From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Wed, 18 Mar 2009 17:14:00 -0500
Gary McGraw wrote:
We had a great time writing this one. Here is my favorite paragraph (in the science versus alchemy vein): "Both early phases of software security made use of any sort of argument or 'evidence' to bolster the software security message, and that was fine given the starting point. We had lots of examples, plenty of good intuition, and the best of intentions. But now the time has come to put away the bug parade boogeyman, the top 25 tea leaves, black box web app goat sacrifice, and the occult reading of pen testing entrails. The time for science is upon us."
I might agree with your quote of "The time for science is upon us." if it were not for the fact that the rest of computer science / engineeering is far ahead of computer security (IMO), and they are *still* not anywhere near real "science", at least as practiced as a whole. (There probably are pockets here and there.) For the most part, based on what I see in industry, I'm not even sure we have reached the alchemy stage! (Compare where most organizations are still at with respect to SEI's CMM. The average is probably Level 2. Most organizations no longer even think of CMM as relevant.) My observation is that very few people in the IT profession--outside of academia at least--belong to neither ACM or IEEE-CS or any other professional organization that might challenge them. I question, on a professional level, how much we are going to progress as an industry when most in this profession seem to think that they do not need anything beyond the "Learn X in 24 Hours" type pablum. (Those are fine as far as they go, but if you think that's all that's required to make you proficient in X, you have surely missed the boat.) Please note, however, that I do not think this mentality is limited to those in the IT / CS professions. Rather, it is a pandemic of this age. Anyhow, I'll shut up now, since this will surely take us OT if I persist. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html
Current thread:
- BSIMM: Confessions of a Software SecurityAlchemist(informIT), (continued)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Jim Manico (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Tom Brennan - OWASP (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Jim Manico (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) John Steven (Mar 24)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 19)