re-writing college books - erm.. ahm...

[Kevin.Wall at qwest.com (Wall, Kevin)]

In response to a post by Jerry Leichter, Gadi Evron wrote...

> A bridge is a single-purpose device. A watch is a simple
> purpose computer, as was the Enigma machine, if we can call
> it such.
>
> Multi-purpose computers or programmable computers are where
> our problems start. Anyone can DO and create. One simply has
> to sit in front of a keyboard and screen and make it happen.

Let us keep in mind that in the name of profits (and ignoring our
prophets, see .sig, below), as an industry, we have strived to
lower the entry level of programming by introducing "diseases"
(I'll probably catch some flack for that) such as Visual Basic,
etc. so that managers who have never had even the simplest
introduction to computer science can now develop their own
software, complete with security vulnerabilities. This only
exacerbates the situation. To add to that, often you get some
manager or marketing type who slaps together a "working" prototype
of something they or a customer is asking for by using a spreadsheet,
an Access "database", and some VB glue that works for maybe 100
records and then s/he thinks that a small development team should be
able to tweak that prototype to turn it into an enterprise-wide,
Internet-facing application that can handle millions of records,
handle a transaction volume that is 3 or 4 orders of magnitude larger
than the prototype handles, and slap it all together in a couple
of weeks.

Developers have to cut corners somewhere, and since security issues
are not paramount, that's often what gets overlooked.

As an industry, I think that we've, in part, done this to ourselves.
When I started in this industry 27 years ago, at least real software
engineering techniques were _attempted_. There were requirements
gathered, specifications written and reviewed, designs written,
reviewed, and applied, and an extensive testing period after
coding was more or less complete. But that used to take 15-20 people
about 1 to 2 years. Now we've compressed that down to 90 days or so,
so something had to give (besides our sanity ;-). What I see today
is a few "analysts" go talk to marketing or other stakeholders and
they write up some "user stories" (not even real "use cases"; what
I'm referring to but more like a sentence or two describing some basic,
sunny-day-only usage scenario collected into a spreadsheet). From
there, the application development teams jump directly into coding/testing,
magically expecting the design to somehow just "emerge" or expecting to
be able to "refactor it" later (if there ever is a "later"). (Can you
tell I think that extreme programming--at least as practiced here--has
been a horrible failure, especially from a security POV? :)

I ask you, just where would civil or mechanical engineering be today
if they had encouraged the average construction worker to develop their
own bridge or designed their own buildings rather than relying on
architects and engineers to do this? That's just one reason why things
are as bad as they are. Today, I don't even see professional software
developers develop software using good software engineering principles.
("It takes too long" or "It's too expensive" are the usual comments.)
Or where would we be if the city council expected to build a new
80-story skyscraper, starting from inception, in only 6 months?
It's no wonder that we so often here that remark that says

 "If [building] architects built buildings the way that
 software developers build software, the first woodpecker
 that came by would destroy civilization."

Maybe what we need is to require that as part of the software development
education, we need to partly indoctrinate them into other "real"
engineering disciplines and hope that some of it rubs off. Because, IMO
what we are doing now is failing miserably.

BTW, if you've not yet read the Dijkstra article referenced below, I
highly recommend it. It's quite dated, but it's a gem for .sig quotes.

-kevin

Std disclaimer: Everything I've written above reflects solely my own
                opinion and not the opinion of any of my employers,
                past or present.
--- 
Kevin W. Wall           Qwest Information Technology, Inc. 
Kevin.Wall at qwest.com <mailto:Kevin.Wall at qwest.com>     Phone: 614.215.4788 
"It is practically impossible to teach good programming to students 
 that have had a prior exposure to BASIC: as potential programmers 
 they are mentally mutilated beyond hope of regeneration" 
    - Edsger Dijkstra, How do we tell truths that matter? 
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html 
<http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html> 



This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.