lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 15 Jul 2006 22:04:08 -0400
From: George Capehart <gwc@....org>
To: Darren Reed <avalon@...igula.anu.edu.au>,
	bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft

Bob Beck wrote:

<snip>

> 
> 	The simple fact is most of the MS/PHP/JAVA web development will be
> being done by code monkeys, fresh out of school.. I'm pretty certain
> they will "inbug" the same average number of bugs per line of code
> they write no matter what platform it is. Development is often
> outsourced to an external coding haus, written to a spec, without
> complete info about what the whole final application is going to do.
> Frequently they don't even reuse "mature" code from past releases
> because you don't want to release it to the external people, or you're
> too busy chasing platform-du-jour (Want a great example of this? I'm
> betting Sun One, going from version 5 to version 6 is a good one)


<rant>
This is truer than you know.  I've been writing code since 1974, and I
see the same mistakes being made over and over and over and over . . .
again.  Just as in wars, it seems that every generation is destined to
make the mistakes that their elders made.  There is no industry-wide
repository of "Lessons Learned."  Each generation is left to make the
same mistakes over and over.  If one were to do a root-cause analysis,
what would one find?  Programming courses teach grammar and syntax.
They do not teach "safe programming."  (Except Crispin and Dave, of
course . . .)  Programming managers are programmers who grew up and
decided they'd had enough of the 80-hour weeks and wanted to become
managers.  They don't know/care, either.  It's only when the "powers
that be" decide that it's better business to deliver bug-free, secure
code than shipping mostly-working code out the door that things will
change.  Wanna take a bet on how long that'll be?
</rant>

Apologies.  Usually this rant appears on firewall wizards or dshield . .
. Just happened to be bugtraq this time

/g
-- 
George Capehart

PGP KeyID:  0xDD7034EA

"Sometimes you're the windshield, sometimes you're the bug."
 -- Mark Knofler

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ