Security Basics mailing list archives
Re: A Question of Quality
From: rohnskii () gmail com
Date: 6 Nov 2008 21:20:06 -0000
From my point of view, the first issue is simply money. Users/companies haven't wanted to pay for quality. Get it done! Fast and dirty. I actually had a client analyst use that phrase, "Fast and Dirty". The funny part was after I delivered it that way, the lead user acceptance tester rejected the project, but they liked the project enough to pay us overtime rates to redo it in another programming language.
The second issue is that security is still a relatively new issue. One that has gone from trivial Word macro nuisances in the mid 90's to a multi billion dollar underground economy 15 years later. Straight business people simply haven't had time to grasp the concept as fully as the criminals have. We are getting there but it is still an uphill battle. We just now getting rid of the programmers who started their careers writing programs for stand alone (non networked) main frame computers. Widespread networking didn't come into play until the mid 90's so it wasn't till long after that programmers had to worry about threats from networked conmputing. Third, ownership of quality. My team leader on a Y2K project had worked on a new application around 1991. Although he pointed out that it was irresponsible to use 2 digit date fields, the people paying the bill didn't agree. On that Y2K project I was "slapped down" because I asked the programmers under me to make some additional "quality" changes while they were "in the neighbourhood". One of the first programming tasks was to add a couple of options to a CASE statement. But that was before CASE syntax was available so it was a bloody great NESTED IF. It went through 2 pages of printed listing, then called another program. That program was written by someone else using different variable names (for the same data) and it continued the nested IF for another page and a half. When I asked about this obvious stupidity I was told that it was written that way to original spec. One of the original specs was that a program not be more than 2 pages long ... so they split that single statement into 2 programs (SIGH).
Current thread:
- Re: A Question of Quality Robert Hajime Lanning (Nov 03)
- RE: A Question of Quality Nevil Patel (Nov 03)
- Re: A Question of Quality Daniƫl W. Crompton (Nov 04)
- Re: A Question of Quality Deaths_Fury (Nov 04)
- <Possible follow-ups>
- FW: A Question of Quality Nevil Patel (Nov 03)
- Re: A Question of Quality Yousef Syed (Nov 03)
- Re: A Question of Quality rohnskii (Nov 06)