Re: Application Insecurity --- Who is at Fault?

[Crispin Cowan <crispin () immunix com>]

Julie JCH Ryan, D.Sc. wrote:

Other students chimed in on the argument positing that the programming 
challenge was an inaccurate measure of student programming capability 
because the contestant was not allowed to do research on the internet 
during the challenge.  Another said the problem was that the challenge 
was too long and required contestants to have memorized too much.


Formal contests are always inaccurate abstractions of the real world. As 
you raise the value of the contest, this inevitably pressures 
contestants to "game the system" and target the artificial artifacts of 
the game rules instead of the real world. Whether this has happened to 
the ACM Programming contest is a subjective opinion. IMHO, a closed-book 
contest is no longer very relevant to the real world, where Google is 
always just seconds away.


This is particularly interesting to me because I just had a doctoral 
student come to me with an idea for dissertation research that 
included an hypothesis that organizations at SEI 1 were better able to 
estimate software development time and costs than organizations at SEI 
5.  He didn't seem to grasp the implications to quality, security, 
life cycle maintenance, etc.


Or it could be that the student is positing that the methods mandated in 
the SEI are a grand waste of time, which would be an interesting 
hypothesis to test. Certainly the successes of open source development 
models make a mockery of some of the previously thought hard rules of 
Brooks' "Mythical Man Month", and I dare say that traditional software 
engineering methods deserve questioning.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com