Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: Crispin Cowan <crispin () wirex com>
Date: Thu, 10 Apr 2003 18:32:16 -0700

Marcus J. Ranum wrote:

This is an intellectually stimulating discussion for us, I'm sure, but basically
it's going to go around in circles for ever. Because software and the pressures
on the software industry are complex and interdependent. You literally cannot
point at one spot and say "THERE'S THE PROBLEM!" - if it was that easy,
don't you think it would have been fixed a long time ago??  In fact, in order to
have significant improvement in software quality (and therefore security)

I can point a finger :-) *The* problem is that "software engineering" is
not actually an engineering discipline, it is a black art. Software
development is not repeatable, not predictable, not manageable, and
depends critically on key individuals. This is an art form.

We can all *wish* for software to become an engineering discipline, but
that doesn't make it so, no matter how much money you put behind it. The
SE research community has been working on making it actually be an
engineering discipline for 20 or 30 years or so, and they've made some
marginal progress, but it is still fundamentally an art form.

All of the issues discussed here (flaky software, unreasonable
management demands, unreasonable engineering development delay, etc.)
all reduce to the one true problem that software development is not a
predictable process, and thus must be finessed.

This is a subtly separate problem from the origin of this thread, "why
is software so vulnerable?" There, I agree with MJR: code quality will
not substantially improve until customers start demanding quality over
features. Until then, managers will do what they are supposed to do:
give the customers what they want.

Crispin

--
Crispin Cowan, Ph.D.                      http://wirex.com/~crispin/
Chief Scientist, WireX                    http://wirex.com
HP/Trend Micro Immunix Secured Solutions
http://h18000.www1.hp.com/products/servers/solutions/iis/
                            Just say ".Nyet"



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: tunnel vs open a hole, (continued)
- - - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
  - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 10)
    - Re: tunnel vs open a hole Gary Flynn (Apr 11)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 11)
    - Re: tunnel vs open a hole Steven M. Bellovin (Apr 11)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 11)
  - Re: tunnel vs open a hole Mark Gumennik (Apr 10)
  - Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- RE: tunnel vs open a hole Behm, Jeffrey L. (Apr 10)
- Re: tunnel vs open a hole Dana Nowell (Apr 11)
  - Re: tunnel vs open a hole Magosányi Árpád (Apr 15)
- RE: tunnel vs open a hole Sloane, David (Apr 15)
  - RE: tunnel vs open a hole Marcus J. Ranum (Apr 15)
    - Re: tunnel vs open a hole Joseph S D Yao (Apr 15)
- RE: tunnel vs open a hole Bowden, Kevin (Apr 15)
  - RE: tunnel vs open a hole David Lang (Apr 15)

(Thread continues...)