Secure Coding mailing list archives
re-writing college books - erm.. ahm...
From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Mon, 6 Nov 2006 08:02:38 -0600
In response to a post by Jerry Leichter, Gadi Evron wrote...
A bridge is a single-purpose device. A watch is a simple purpose computer, as was the Enigma machine, if we can call it such. Multi-purpose computers or programmable computers are where our problems start. Anyone can DO and create. One simply has to sit in front of a keyboard and screen and make it happen.
Let us keep in mind that in the name of profits (and ignoring our prophets, see .sig, below), as an industry, we have strived to lower the entry level of programming by introducing "diseases" (I'll probably catch some flack for that) such as Visual Basic, etc. so that managers who have never had even the simplest introduction to computer science can now develop their own software, complete with security vulnerabilities. This only exacerbates the situation. To add to that, often you get some manager or marketing type who slaps together a "working" prototype of something they or a customer is asking for by using a spreadsheet, an Access "database", and some VB glue that works for maybe 100 records and then s/he thinks that a small development team should be able to tweak that prototype to turn it into an enterprise-wide, Internet-facing application that can handle millions of records, handle a transaction volume that is 3 or 4 orders of magnitude larger than the prototype handles, and slap it all together in a couple of weeks. Developers have to cut corners somewhere, and since security issues are not paramount, that's often what gets overlooked. As an industry, I think that we've, in part, done this to ourselves. When I started in this industry 27 years ago, at least real software engineering techniques were _attempted_. There were requirements gathered, specifications written and reviewed, designs written, reviewed, and applied, and an extensive testing period after coding was more or less complete. But that used to take 15-20 people about 1 to 2 years. Now we've compressed that down to 90 days or so, so something had to give (besides our sanity ;-). What I see today is a few "analysts" go talk to marketing or other stakeholders and they write up some "user stories" (not even real "use cases"; what I'm referring to but more like a sentence or two describing some basic, sunny-day-only usage scenario collected into a spreadsheet). From there, the application development teams jump directly into coding/testing, magically expecting the design to somehow just "emerge" or expecting to be able to "refactor it" later (if there ever is a "later"). (Can you tell I think that extreme programming--at least as practiced here--has been a horrible failure, especially from a security POV? :) I ask you, just where would civil or mechanical engineering be today if they had encouraged the average construction worker to develop their own bridge or designed their own buildings rather than relying on architects and engineers to do this? That's just one reason why things are as bad as they are. Today, I don't even see professional software developers develop software using good software engineering principles. ("It takes too long" or "It's too expensive" are the usual comments.) Or where would we be if the city council expected to build a new 80-story skyscraper, starting from inception, in only 6 months? It's no wonder that we so often here that remark that says "If [building] architects built buildings the way that software developers build software, the first woodpecker that came by would destroy civilization." Maybe what we need is to require that as part of the software development education, we need to partly indoctrinate them into other "real" engineering disciplines and hope that some of it rubs off. Because, IMO what we are doing now is failing miserably. BTW, if you've not yet read the Dijkstra article referenced below, I highly recommend it. It's quite dated, but it's a gem for .sig quotes. -kevin Std disclaimer: Everything I've written above reflects solely my own opinion and not the opinion of any of my employers, past or present. --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com <mailto:Kevin.Wall at qwest.com> Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html <http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html> This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Current thread:
- re-writing college books - erm.. ahm..., (continued)
- re-writing college books - erm.. ahm... Crispin Cowan (Oct 28)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 28)
- re-writing college books - erm.. ahm... Crispin Cowan (Oct 28)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 29)
- re-writing college books - erm.. ahm... Robert C. Seacord (Oct 29)
- re-writing college books - erm.. ahm... Gadi Evron (Oct 29)
- re-writing college books - erm.. ahm... Robert C. Seacord (Oct 28)
- re-writing college books - erm.. ahm... Crispin Cowan (Oct 28)
- re-writing college books - erm.. ahm... Leichter, Jerry (Nov 05)
- re-writing college books - erm.. ahm... Gadi Evron (Nov 05)
- re-writing college books - erm.. ahm... Wall, Kevin (Nov 06)
- re-writing college books - erm.. ahm... pete werner (Nov 06)
- re-writing college books - erm.. ahm... Paul Powenski (Nov 06)
- re-writing college books - erm.. ahm... Leichter, Jerry (Nov 06)
- re-writing college books - erm.. ahm... Gunnar Peterson (Oct 30)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker (Oct 28)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] Crispin Cowan (Nov 02)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker (Nov 04)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] mikeiscool (Nov 04)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker (Nov 05)
- re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] mikeiscool (Nov 05)