Re: [fw-wiz] tunnel vs open a hole

From: George Capehart (
Date: 04/10/03

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] tunnel vs open a hole"
    From: George Capehart <>
    To: "Marcus J. Ranum" <>, "Behm, Jeffrey L." <>,
    Date: Wed, 9 Apr 2003 18:30:32 -0400

    On Tuesday 08 April 2003 11:21 pm, Marcus J. Ranum wrote:
    > Behm, Jeffrey L. wrote:
    > ><pet peeve>
    > >When will programmers begin (again) to do basic error checking?
    > ></pet peeve>
    > It's sure as hell not because the tools don't exist. Even back in the late
    > 1980's you had tools like Saber-C (now CodeCenter) that did huge amounts
    > of runtime error checking. The tools are there and have been there; it's
    > the "get it to market yesterday" mindset and the fact that a lot of
    > software engineers are spoiled brats that have allowed the lunatics to take
    > control of the asylum.

    Yes, there are *many* tools to help write, trace, and clean code. There are
    also several Web sites, books, and, yes, even coding standards that deal with
    writing sane (and secure) code. There are even whole programs designed to
    impose good process on the whole system development life cycle (the Rational
    Unified Process, the CMMI and SSE-CMM come immediately to mind). And, back
    in the Dark Ages when I was actually writing code, I *knew better* than to
    take the shortcuts I was taking, but in the face of having to deliver a
    product yesterday, for free, I was put in the position of having to slam dunk
    a system.

    It's my conviction that all of this is a management problem. If the business
    owner of the product/project or whatever really gave a rat's a**, error
    checking *would* exist in code. Or, even if the project manager . . . or the
    technical lead cared, there would be processes in place *at every phase of
    the SDLC* to identify and manage risk and control errors. We learned
    (relatively) long ago that the earlier in the SDLC we discover
    errors/mistakes/problems the cheaper it is to fix. Rhetorical question:
    When was the last time anyone was on a project where there was serious focus
    on identifying problems and fixing them as early as possible? Gotta say that
    I was recently on a very large project ( > 10^7 USD) for a very well-known
    company and the **_only_** focus was meeting a delivery date. An important
    point is that the delivery date had assumed a certain start date and certain
    resource level. The start date had slipped by several months and the
    staffing level was at less than half of the planned level. So, take a guess
    how much code review is going on on that project . . . Guess how much testing
    will be done. Guess how much detail *design* was done. Bottom line: Until
    business system owners (whether it be of an internal project or a product)
    are held accountable for the security, quality and performance of the systems
    for which they are responsible, programmers will continue to work 16-hour
    plus days busting their humps and *not* doing any more in their code than
    they absolutely have to because they don't have ***TIME*** to.

    My very cynical $0.02.

    Sorry . . . I get this way. Seems like the people who would care the most,
    care the least.

    Disclaimer: I work for neither Rational/IBM or the SEI.

    George Capehart
    PGP Key ID 63F0F642 at
    "Given sufficient thrust, pigs fly just fine . . ."
     -- RFC 1925
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] tunnel vs open a hole"