Security Basics mailing list archives

Re: A Question of Quality

From: rohnskii () gmail com
Date: 6 Nov 2008 21:20:06 -0000

From my point of view, the first issue is simply money.  Users/companies haven't wanted to pay for quality.  Get it 
done!  Fast and dirty.  I actually had a client analyst use that phrase, "Fast and Dirty".  The funny part was after I 
delivered it that way, the lead user acceptance tester rejected the project, but they liked the project enough to pay 
us overtime rates to redo it in another programming language.

The second issue is that security is still a relatively new issue. One that has gone from trivial Word macro nuisances
in the mid 90's to a multi billion dollar underground economy 15 years later. Straight business people simply haven't
had time to grasp the concept as fully as the criminals have. We are getting there but it is still an uphill battle.
We just now getting rid of the programmers who started their careers writing programs for stand alone (non networked)
main frame computers. Widespread networking didn't come into play until the mid 90's so it wasn't till long after that
programmers had to worry about threats from networked conmputing.

Third, ownership of quality. My team leader on a Y2K project had worked on a new application around 1991. Although he
pointed out that it was irresponsible to use 2 digit date fields, the people paying the bill didn't agree. On that Y2K
project I was "slapped down" because I asked the programmers under me to make some additional "quality" changes while
they were "in the neighbourhood". One of the first programming tasks was to add a couple of options to a CASE
statement. But that was before CASE syntax was available so it was a bloody great NESTED IF. It went through 2 pages
of printed listing, then called another program. That program was written by someone else using different variable
names (for the same data) and it continued the nested IF for another page and a half. When I asked about this obvious
stupidity I was told that it was written that way to original spec. One of the original specs was that a program not
be more than 2 pages long ... so they split that
single statement into 2 programs (SIGH).

Current thread:

Re: A Question of Quality Robert Hajime Lanning (Nov 03)
- RE: A Question of Quality Nevil Patel (Nov 03)
- Re: A Question of Quality Daniël W. Crompton (Nov 04)
  - Re: A Question of Quality Deaths_Fury (Nov 04)
- <Possible follow-ups>
- FW: A Question of Quality Nevil Patel (Nov 03)
- Re: A Question of Quality Yousef Syed (Nov 03)
- Re: A Question of Quality rohnskii (Nov 06)