Secure Coding mailing list archives

RE: Re: Application Insecurity --- Who is at Fault?

From: "Chris Matthews" <cmatthews () xn com>
Date: Mon, 11 Apr 2005 20:57:49 +0100

Dave Paris wrote:

It's also much more likely that the "foreman" (aka
programming manager) told the builder (programmer) to take shortcuts to

meet time and budget - rather than the programmer taking it upon
themselves to be sloppy and not follow the specifications.


I'd note that there is the question "if the programmer was given a
undefined time period in which to deliver said software, would they be
able to deliver code that is free of 'mechanical' (buffer overflows,
pointer math bugs, etc) bugs?".

Additionally, as an industry, we will only really have the answer to the
above question when the programming managers allocate a programmer the
time to truly implement specifications in a "mechanically secure" way.

But I agree with the premise that a programmer cannot be held
accountable for (design) decisions that were out of his control.  He can
only be accountable for producing "mechanically" correct behaviour.

-Chris

(Note that references to "mechanical" bugs are ones that really are
within the programmer's realm to avoid, and include language specific
and language agnostic programming techniques.)

Current thread:

Re: Application Insecurity --- Who is at Fault?, (continued)
- - - Re: Application Insecurity --- Who is at Fault? Blue Boar (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Margus Freudenthal (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? dtalk-ml (Apr 10)
    - Re: Application Insecurity --- Who is at Fault? ljknews (Apr 10)
    - RE: Re: Application Insecurity --- Who is at Fault? Edward Rohwer (Apr 10)
    - Re: Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
    - RE: Re: Application Insecurity --- Who is at Fault? Chris Matthews (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Adding some unexpected reliability expectations ljknews (Apr 13)
    - Re: Adding some unexpected reliability expectations Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 14)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 14)

(Thread continues...)