Re: [Lit.] Buffer overruns

From: Barry Margolin (barmar_at_alum.mit.edu)
Date: 12/17/04 

Date: Thu, 16 Dec 2004 20:01:40 -0500

In article <6Wowd.60168$Uf.29497@twister.nyroc.rr.com>,
 caj@B-r-a-i-n-H-z.com (Xcott Craver) wrote:

> Douglas A. Gwyn <DAGwyn@null.net> wrote:
> >Xcott Craver wrote:
> >
> >> Okay, done, now what's step two?
> >
> >That is somewhat dependent on the environment, but involves
> >such things as putting good technical management in place,
> >having the best programmers doing the most critical coding,
> >establishing code walkthroughs and security reviews, etc.
> >I.e. good software engineering practice.
>
> Code walkthroughs and security reviews? Isn't that more
> of those so-called training wheels?
>
> After all, the argument is that safer tools incur an unnecessary
> penalty on responsible coders who don't need it. Likewise,
> those responsible coders don't need to have their time wasted
> by code auditing, right?
>
> In either case, you're having someone/something other than the
> coder making sure the code is good, and catching mistakes.
> Can we not raise the same complaint that the responsibility
> should lie with the coder to do right without aid?

Sure, that's their responsibility. But we're all human, so we make
mistakes. There are a number of ways to deal with this:

1) Use tools that make it easier to do things right in the first place;

2) Automate those processes that are amenable to this, to take the
fallible humans out of the loop (although then you're trusting the
authors of the automation);

3) Reviews by other competent programmers;

4) Test tools that discover problems.

IMHO, code walkthroughs are one of the best techniques. Quite often an
independent set of eyes will notice things that the author keeps
missing. We employ proofreaders and technical reviewers for books,
doesn't it make even more sense to use them for critical code? 

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA

Relevant Pages

  • Re: [Lit.] Buffer overruns
    ... > 2) Automate those processes that are amenable to this, ... > 3) Reviews by other competent programmers; ... code walkthroughs are one of the best techniques. ... advocates having pairs of programmers, with the one of a pair ...
    (sci.crypt)
  • Re: [Lit.] Buffer overruns
    ... > 2) Automate those processes that are amenable to this, ... > 3) Reviews by other competent programmers; ... code walkthroughs are one of the best techniques. ... advocates having pairs of programmers, with the one of a pair ...
    (comp.security.unix)
  • Re: Need a professional opinion. Possible job offer.
    ... > Searching for the new techniques. ... > We need a professional opinion. ... hour minimum for all reviews of projects in process. ...
    (rec.crafts.metalworking)
  • Re: [Lit.] Buffer overruns
    ... >>establishing code walkthroughs and security reviews, ... Automate those processes that are amenable to this, ... code walkthroughs are one of the best techniques. ...
    (sci.crypt)
  • Photography magazines
    ... I'm now thinking about subscribing to a magazine or two that covers mostly techniques. ... Not as interested in equipment reviews although I'm sure most publications include reviews to some degree, although I'm sure lens reviews would be helpful. ...
    (alt.photography)