Re: secprog Digest 18 Nov 2002 18:35:57 -0000 Issue 113

• Previous message: Ali Saifullah Khan: "Re: Are bad developer libraries the problem with M$ software?"
• In reply to: David Wheeler: "Re: secprog Digest 18 Nov 2002 18:35:57 -0000 Issue 113"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Nov 2002 19:17:07 -0500
From: George Capehart <gwc@capehassoc.com>
To: David Wheeler <dwheeler@ida.org>

David Wheeler wrote:
>
> > Before the rest of my response, I'd like to make clear that I believe
> > that poor programmer education is one of the primary reasons we have
> > so many vulnerabilities.
>
> I believe the _MOST_ important step to take today is to get
> EVERY software developer trained in how to write secure applications.
> It is _CRIMINAL_ that we still permit computer science and
> software engineering graduates to graduate without knowing
> the fundamentals on writing secure programs!

<snip>

I've bitten my tongue through the "bad developer library" thread on this
list, but I can't stand it any longer. <rant> Seems to me there are
several problems that contribute to the proliferation of insecure
software. Certainly programmer ignorance is one. I agree 100%. Having
said that, I really believe that if one of the criteria for hiring
programmers was their ability to write secure code, the training
institutions would graduate programmers who could write secure code. I
have been in the industry a long time and have worked in and around many
different organizations . . . from the very small to the very large. I
have worked with/in software development firms, manufacturing companies,
financial services organizations, county governments and everything in
between. *Never once*, in the 21 years that I have been in the
industry, have I heard a product manager, project manager or development
manager place better over faster and/or cheaper. This translates out
to: "To hell with doing it The Right Way (TM), get it done yesterday!
Just get it working . . . we can fix it when somebody complains."

At one of my venues, I was a project manager on one project that had
just finished getting the requirements and was beginning the design
phase when, one day in March, the business owner of the system came to
me and said, "On June 1, I'm going to pull the plug on the old system.
The new one had better be ready." The old system did order entry,
invoicing, inventory management and shipping. We got it done . . . but,
for the next four years I had two people full time with their fingers in
the dike, fixing bugs and "enhancing" functionality to make the system
run.

At another venue, I was the technology program manager on a project to
start up a Web site that did online financial transactions.
Time-to-market was the only concern and the business owner of the system
did not care about the risk he was assuming by pushing things on a fast
track . . .

Based on the preceding two paragraphs, it would be easy to "blame" the
the "pointy haired managers" for not caring about the lack of security
that their insistence on haste engenders. In the end, though, I believe
it is the customer who ultimately defines the level of security that is
built into systems. Customers get what they are willing to pay for.
Educated customers who require top quality, secure products get them.
Windows customers get what they deserve. Personally, I want to deliver
the best possible product I can. There are many companies that do so.
There *are* six-sigma companies. These companies operate in spaces in
which their customers are educated and have a point of reference. What
point of reference does the average Windows user have? Windows. What
point of reference does the average pointy-haired manager have?
Whomever yelled loudest at him. The rest of the argument is left as an
exercise for the reader.

So, is there any mystery that there is no emphasis on secure programming
in the educational process? Who cares? The employers? Who is
sophisticated enough to demand and recognize secure software when it
bites them? Not the pointy-haired manager. Not the average Windows
user . . .

So, when will we see secure software? A) in the isolated shop that that
takes a craftsman's pride in delivering a top quality product, and/or B)
when consumers demand it. For now, I'm looking for A.
</rant>

gwc

--
George W. Capehart
Capehart Associates LLC                         Phone:  +1 704.678.1660
1604 Nottingham Drive				Fax:	+1 704.853.2624
Gastonia, NC  28054
"We did a risk management review.  We concluded that there was no risk
 of any management."  -- Dilbert

• Next message: Ben Laurie: "Re: SHA-1 vs. triple-DES for password encryption?"
• Previous message: Ali Saifullah Khan: "Re: Are bad developer libraries the problem with M$ software?"
• In reply to: David Wheeler: "Re: secprog Digest 18 Nov 2002 18:35:57 -0000 Issue 113"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]