Re: Why are developers choosing to...

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 20 Jan 2006, hermit921 wrote:

> concepts.  For example, the concept of a network port.  I had one developer 
> that insisted his application didn't listen on a port, it used the 
> subnet.  Some of them don't understand the concept of a directory 

Niiiice.  You should have told him it was masked and your security policy 
didn't allow applications that used the subnet mask, could he unmask it?

> I am starting to blame a lot of this on GUI development products.  I am 
> trying to be nice and not completely blame the developers and the bozo 
> managers who hire them.  The IDE takes care of everything other than the 
> actual code by using various default settings.  This leaves the developers 
> without any reason to learn what environment the application has to work 
> in.  It works in their GUI, doesn't it?

It's worse.  I talked to a developer last week who used C++ to do their 
application.  "Your app isn't doing the right thing with my client's 
proxy" was met with "Oh, I don't know what that class actually does, I 
just put it in there based on the docs, I don't have any way to test that 
here..."  "Ok, when your application calls connect..." and "Ok, the 
initial SYN is..." got me "Wow!  I have no idea what you're talking about, 
the words sound valid, but you're speaking a foreign language!"

Delphi components were the start of this for me.  At the time, I had a 
developer who was complaining that his wonderful application wouldn't work 
with our corporate mail server.  I traced the session and said "I'm sorry, 
your application isn't doing valid RFC-compliant SMTP."  "Well, it's an 
SMTP component, but I don't know what it does and can't change it!"
Needless to say, rather than changing my SMTP server to accept slightly 
broken SMTP, he got to go find a new SMTP component (ISTR it was 
reversing "mail from" and "rcpt to".)

This is yet another symptom of the disease that nobody *really* knows what 
code is in their applications in closed-source environments *even if they 
wrote the application*.  You want a winning infowar strategy?  Develop a 
cool framework for anything network-based and pay folks to use it.  You'd 
win.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards