Secure Coding mailing list archives

Re: Missing the point?

From: Crispin Cowan <crispin () immunix com>
Date: Mon, 26 Apr 2004 14:49:05 +0100


Michael A. Davis wrote:


A Network World article,
http://www.nwfusion.com/news/2004/0419codereview.html, discusses the
various MS patches that came out last week. Ellen Messmer, the
author, talks about the many companies and startups that are selling
products to help with code auditing and testing to help automate the
security review process.

Isn't she missing the point? It is not the source code that is the
problem -- it is the developer.
 

I completely disagree: it is the code that counts. The developer can get 
run over by a bus, and we will still be running the code.


Developer education is *one* path to higher code quality. Better tools 
is another. But better code quality is definitely the end-goal.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/

Current thread:

Re: Missing the point?, (continued)
- - - Re: Missing the point? Dave Aronson (Apr 20)
    - Re: Missing the point? Mads Rasmussen (Apr 20)
    - RE: Missing the point? Alun Jones (Apr 20)
    - Re: Missing the point? Jared W. Robinson (Apr 21)
    - Re: Missing the point? Paco Hope (Apr 20)
    - Re: Missing the point? Nash (Apr 20)
    - RE: Missing the point? Michael A. Davis (Apr 21)
    - Re: Missing the point? Pascal Meunier (Apr 20)
    - Re: Missing the point? Pascal Meunier (Apr 20)
    - RE: Missing the point? Michael S Hines (Apr 23)
    - Re: Missing the point? Crispin Cowan (Apr 26)
  - Re: Yoran on the state of software security Greenarrow 1 (Apr 22)
- Re: Yoran on the state of software security Nick FitzGerald (Apr 22)
  - Re: Yoran on the state of software security Greenarrow 1 (Apr 26)