Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is developer education a lost cause?

From: George Capehart <gwc () acm org>
Date: Sat, 24 Jan 2004 04:18:13 +0000
On Thursday 22 January 2004 11:35 pm, Chris Wysopal wrote:


He argues that secure coding is impractical.  I have submitted a
rebuttal. I think layering defenses to isolate buggy vulnerable
software and continuously patching is impractical.


I couldn't agree more.  It is no harder to do it "right" than it is to 
do it "wrong."  It is a matter of discipline and technique.  It is one 
of the first lessons of discipline in any endeavor, whether it be 
sport, manufacturing or software development.  There is a vast 
literature and experience base from the quality/QA/TQM/Six Sigma 
universes to support that.  That's road apples!  Do it right the first 
time!  The idea of purposely deciding to accept continual patching to 
me has neither an appealing ROI nor TCO.

I do think defense-in-depth and layering defenses is a good idea in 
general, though . . .

FWIW.

/g
Previous By Date Next
Previous By Thread Next

Current thread: