View Single Post
  #2 (permalink)  
Old 17th June, 2010, 05:23 AM
Gizmo's Avatar
Gizmo Gizmo is offline
Chief BBS Administrator
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

This article strikes a glancing blow at what, I feel, is the heart of the problem.

In the article, they make note of the fact that most programmers have no interest in secure programming methods and techniques. They say that this is partly due to the fact that programmers are 'builders and artists' and thus have no interest in security. They also observe that because programmers are under deadlines, anything that doesn't have to be done doesn't get done. Finally, they observe that companies have built application development frameworks to facilitate secure software development, but these frameworks and the management and development processes they require are frequently very expensive.

All of these arguments are rubbish, IMO.

Let's look at the 'builders and artists' comment first (and actually, this is directly applicable to the 'deadlines' argument as well). Any of you know an architect, an artist, a musician? What separates the good ones from the mediocre ones? Without exception, in my experience, it is the fact that they have a vision of what it is they want to create, and they will accept no compromises; no shortcuts; no inferior materials; most importantly, no inferior workmanship. Good art uses only the minimum necessary to achieve the desired outcome, but it uses ALL of what it has available to maximum effect; thus there can be no compromises on the quality of the components or workmanship.

I have opined before that writing good software is as much art as it is science, and I believe that to be true. The good programmers; the people who turn out good quality code time after time after time have the same attitude that good artists, musicians, and architects do. It's got to be right, or they won't put their name to it. I believe this is true of ANY professional who actually cares about their craft.

Finally, the argument about the cost of the secure development frameworks. This actually has a grain of truth to it; using secure frameworks is frequently VERY expensive. The main reason for that (IMO) is because it proceeds from the notion that secure software can be produced if only we use languages that don't allow certain features, or that don't do certain things.

That simply isn't true. I will bet serious money that I can take the most robust secure software development environment in existence, and write code that has security holes in it.

The notion that all you have to do is use secure development tools and processes and you can create secure software is as fatally flawed as the notion that you can turn someone loose with all the latest power tools and they can build the perfect house.

IMO, the reason Johnny can't develop secure software is because Johnny, on average, simply doesn't care. Most of the software I see is utter garbage that barely runs, and the only reason it runs AT ALL is because we have created software development tools that actually are too good. The tools have progressed to the point that any trained monkey can write an app and stand a pretty fair chance of having that app work. Unfortunately, we haven't really asked the question of whether or no we really want trained monkeys writing apps.
Reply With Quote