Secure Coding mailing list archives

BSIMM: Confessions of a Software Security Alchemist(informIT)


From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Wed, 18 Mar 2009 17:14:00 -0500

Gary McGraw wrote:

We had a great time writing this one.  Here is my favorite
paragraph (in the science versus alchemy vein):
"Both early phases of software security made use of any sort
of argument or 'evidence' to bolster the software security
message, and that was fine given the starting point. We had
lots of examples, plenty of good intuition, and the best of
intentions. But now the time has come to put away the bug
parade boogeyman, the top 25 tea leaves, black box web app
goat sacrifice, and the occult reading of pen testing
entrails. The time for science is upon us."

I might agree with your quote of "The time for science is upon us." if
it were not for the fact that the rest of computer science / engineeering
is far ahead of computer security (IMO), and they are *still* not anywhere
near real "science", at least as practiced as a whole. (There probably are
pockets here and there.) For the most part, based on what I see in industry,
I'm not even sure we have reached the alchemy stage! (Compare where most
organizations are still at with respect to SEI's CMM. The average is probably
Level 2. Most organizations no longer even think of CMM as relevant.)

My observation is that very few people in the IT profession--outside
of academia at least--belong to neither ACM or IEEE-CS or any other
professional organization that might challenge them. I question, on
a professional level, how much we are going to progress as an industry
when most in this profession seem to think that they do not need anything
beyond the "Learn X in 24 Hours" type pablum. (Those are fine as far
as they go, but if you think that's all that's required to make you
proficient in X, you have surely missed the boat.)

Please note, however, that I do not think this mentality is limited
to those in the IT / CS professions. Rather, it is a pandemic of this age.

Anyhow, I'll shut up now, since this will surely take us OT if I persist.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html



Current thread: