Saturday, January 07, 2006

More on software development laziness

In my previous posting, I commented on the trend of developers using customer machine cycles in an attempt to absolve themselves from the need to produce quality code. If you follow the link from the title above, you'll see a sidebar written by Eugene Spafford entitled, "Are the bad guys winning?" Prof. Spafford comments on the current lack of attention given to security in software development. To me, this is just another example of the same sort of reasoning: the only thing that counts in software development is the bottom line of the next upgrade cycle.

Now, while I might object to the idea of software developers burning my computer's cycles to compensate for fundamental laxities in their development processes (for example, by using managed languages, so their programmers don't need to worry about freeing up allocated memory themselves), I at least recognize that this is a feasible approach. In other words developers really can compensate for poor processes by using this approach.

Such is not the case for security. Burning my cycles does nothing for making computer systems more secure. The only thing that will do this, as prof. Spafford writes, is hiring people with real security knowledge and skill and paying attention to development processes that foster security. I would argue that these are the same steps that would foster more efficient, higher quality code. Which of the following three potential futures (from Spafford) do you think will happen:

In the first, the market realizes the cost of tacking security onto systems as an afterthought, and demands and compensates vendors for simpler, more secure systems... The second outcome is that we limit our use of information technology to avoid security-related problems. The third outcome is that we continue on our merry way until the system implodes.

Topics: ,, .

No comments:

Post a Comment