SC-L Digest, Vol 6, Issue 56

[platsakos at gmail.com (AK)]

> As soon as a "non-developer" creates code, they are no longer a "non-developer".  By definition, they are now a 
> developer!
>
> Of course, they may completely lack any kind of knowledge about security.  Just like most developers, I should add.  
> I expect this problem to *increase* over time.
>
>
>   

For the case that one is creating a product/service I will have to
rephrase a bit.

Substitute "non-developer" with "person who lacks all but the most basic
notions of software engineering". So, technically, yeah they are
developers but probably they are not good developers and will run to a
multitude of problems, one of which will be security.


However, by non-developers, I was meaning people who write code as a
"one-off", (e.g. a security consultant writes some quick and dirty code
to fuzz something, or someone writing a script for home use). Even if
the security knowledge is there, since security is not a required
property, it just will not in the resultant code, as the code is
supposed to be used a few times and then thrown away (or hopefully
rewritten :-) )
> That may be true in some places.  But all too often real knowledge and expertise is rare.  Many "System Admins", esp. 
> in the Windows world, do not understand the underlying technology at all.  They only know how to how to 
> point-and-click based on recipes created by others (e.g., local instructions or whatever Google tells them).  All too 
> often we *train* while ignoring *education*.
>
> When they have to program at all, these kinds of people perform "cargo cult programming" (see 
> http://en.wikipedia.org/wiki/Cargo_cult_programming ).
>   

If an organization hires (or outsources to) point-n-click admins (which,
I'll hazard a guess, on average will cost cheaper than the admins who
have invested time sharpening their saw), the organization will most
likely have operational problems, which are not limited to security,
even before the admins type "shebang", IMHO.