From: Jerry Feldman
On Friday 15 April 2005 11:50 am, synthetoonz@bellsouth.net wrote:
[snip]
Bad, lazy programmers are the source of security holes regardless of language.
I generally agree with this, but not all security holes are caused by bad and lazy programmers. A lot of times, there are some risks in code because the programmer has not forseen it.
One real problem in the industry, and has been since Grace Hopper found the first bug, is the lack of proper testing. I have rarely seen a situation where a proper design-code-unit-test-test cycle has been effectively utilized.
I think we're pretty close to that here. I'm responsible for a real-time financial transaction system and MANY people and merchants would get bent out of shape if we added bugs to a new release. We reserve a full month in the release schedule for QA and regression testing after the development code freeze. I never seen any other place be this extreme with testing.
I've also seen many programmers who don't have a clue how to test.
Yeah. We have to be careful with test plan reviews, since the coding grunts writing test plans tend to only think about positive tests and ignore the negatives or ignore the things that are improbable, because they mistakenly consider the situation impossible.
But, I've also seen some people who can take a well designed and tested application, and find bugs immediately.
Ahh. I see you've met my mother-in-law. I believe she is cursed with the ability to destroy any software product my merely touching the computer it runs on. (Or perhaps it's just static electricity. ;-)