Re: Interesting article ZDNet re informal software development quality

[George Capehart <gwc () acm org>]

On Wednesday 07 January 2004 04:57 pm, Alun Jones wrote:

<snip>

> I've long suspected that one of the things that needs to happen in
> order for security to make its way into software is for developers to
> develop some backbone, so that they can tell their bosses "I can't
> give you the feature you've asked for, as securely as is appropriate,
> in the time you've asked for.  I will not write it unsecurely, so you
> need to determine whether to lose / reduce the feature, or increase
> the time".  Sadly, in the current employment climate, we're likely to
> see too many people lose their jobs for that kind of
> "insubordination", and be replaced by people who don't care as much.

Which tells everything we could possibly want to know about how 
important security is to that organization.

> I hate to say it, but maybe it's time for developers to become
> accredited professionals, and for employers to insist on getting
> qualified developers, rather than picking anyone who's read a book on
> C.

I just don't think accreditation is the controlling variable in this 
situation.  You defined the problem yourself.  The problem is that 
feature-rich and time-to-market trumps doing things the right way.  
IMHO, that would be the worst possible work environment for a 
conscientious, knowledgable professional.  All of the cards are stacked 
against him/her and it will be a very stressful place to work until 
they can find another job.  It's the management decisions that are the 
problem . . . They create their problems.  They create an environment 
in which the only people who are willing to stay around are the 
clueless ones . . .  Been there, done that.  Don't ever intend to go 
back . . .

FWIW,

/g