Re: tunnel vs open a hole

["Marcus J. Ranum" <mjr () ranum com>]

George Capehart wrote:
> <rant>
> It's my conviction that all of this is a management problem.  If the business 
> owner of the product/project or whatever really gave a rat's a**, error 
> checking *would* exist in code.

It's an across the board problem. I think there's enough blame to go around,
honestly. :)

The bubble of the late 1990's taught a generation of programmers, their managers,
executives, and venture capitalists that "crap today is better than good tomorrow."
The landscape was littered with companies that didn't make it because they got
out the door 2 weeks behind the guys who just shovelled it over the fence. So
we can blame:
        - The customers, who chose to compensate mediocrity with IPO millions
        - The managers, who encouraged programmers to try to meet insane schedules
        - The execs, who set the insane schedules
        - The programmers, who wrote a lot of really insecure junk
In my previous posting on this topic, this was what I was referring to about the
"get it to market yesterday" mindset and how the lunatics wound up taking over
the asylum. Hey, if customers are going to make you a bazillionaire for writing crud,
why not give them what they want, right?

        So, across the board - the entire board - we have *UTTERLY* failed
as an industry to take seriously a few serious things. The last time I was managing
a bunch of software engineers, I bought 2 licensed copies of CodeCenter (a terrific
tool literally worth its weight in gold) and 2 copies of Purify. Nobody ever used them
except me and, I think, one other guy a couple times. I guess, as "management"
I failed because I simply expected that engineers would be professional enough
to care? No, that doesn't wash - the bottom line was that some of the engineers
I've worked with (so called "software engineers") didn't even know how to use a
debugger because they thought that using printf()s was "faster" and they were on
a tight schedule and didn't have time to learn gdb...   I'm sorry, but that, to me, is
not professionalism. Managers have to demand it, and have to support their
engineers in taking the extra time to use the tools and follow the procedures
to write rock-solid code. And they have to be able to help control executive's
expectations as to schedules. Everyone, across the board, has to do their
job right. So do the customers.

mjr. 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards