RE: Interesting article ZDNet re informal software development quality

["Alun Jones" <alun () texis com>]

> -----Original Message-----
> From: George Capehart [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 08, 2004 3:50 PM
>
> On Wednesday 07 January 2004 04:57 pm, Alun Jones wrote:
> > the time".  Sadly, in the current employment climate, we're 
> likely to
> > see too many people lose their jobs for that kind of
> > "insubordination", and be replaced by people who don't care as much.
>
> Which tells everything we could possibly want to know about how 
> important security is to that organization.

Not likely, it'd tell the programmer everything he needs to know on that
topic, but unfortunately the rest of us would not be able to determine the
truth of such a claim.  The company would say "oh, of course he'd say that,
he just got fired", and nobody would be able to tell for sure.

> I just don't think accreditation is the controlling variable in this 
> situation.  You defined the problem yourself.  The problem is that 
> feature-rich and time-to-market trumps doing things the right way.

I know - accreditation wouldn't solve a whole lot of stuff, but like
security in general, it raises the barrier to entry - even if only a little.

> IMHO, that would be the worst possible work environment for a 
> conscientious, knowledgable professional.  All of the cards 
> are stacked 
> against him/her and it will be a very stressful place to work until 
> they can find another job.  It's the management decisions 
> that are the 
> problem . . . They create their problems.  They create an environment 
> in which the only people who are willing to stay around are the 
> clueless ones . . .  Been there, done that.  Don't ever intend to go 
> back . . .

It's never the easy problems that get the good discussions going :-)

Many programmers are well aware of what needs to be done to get good
security, but few feel like they have the time to do so.  I'm never
satisfied that I've spent enough time securing what I release, but I have to
cut off at some point so that I can get some income to fund further work.
Part of good security is balancing security against features and risk.

Security is not an absolute.

Alun.
~~~~
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | [EMAIL PROTECTED]
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.