On Saturday 16 April 2005 02:06, Jerry Feldman wrote: snip>
One should take a look at FORTH, or at least Charles Moore's writings. Using already existing tested code has long been a good programming practice. This is why we have standard libraries in C (libc), and C++(stdc++, STL).
Bad, lazy programmers are the source of security holes regardless of language.
I generally agree with this, but not all security holes are caused by bad and lazy programmers. A lot of times, there are some risks in code because the programmer has not forseen it. One real problem in the industry, and has been since Grace Hopper found the first bug, is the lack of proper testing. I have rarely seen a situation where a proper design-code-unit-test-test cycle has been effectively utilized. I've also seen many programmers who don't have a clue how to test. But, I've also seen some people who can take a well designed and tested application, and find bugs immediately.
I agree with both of you. In particular, I was given two weeks to test some code. I told the young guy who had written most of it (he is exceptionally good) that I had been given two weeks to test it, but he just walked out the door ??? Then I discovered that he had gone back to his room and estimated that the code would take two man-years to test. He presented this estimate to the boss who increased to test time to four weeks. A year after I left they fired the official tester! That's an M$ attitude for you!
Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
Regards, Colin