[kwlug-disc] Security arguments

unsolicited unsolicited at swiz.ca
Wed Sep 23 16:15:41 EDT 2009 

L.D. Paniak wrote, On 09/23/2009 3:58 PM:
> Khalid Baheyeldin wrote:
>>     0. Everybody starts out as a newbie.
>>     1. Newbies make mistakes and (by definition) don't understand every
>>     nuance of their programming/sysadminning environments.
>>     2. Therefore, mistakes will be made.
>>
>>     This has some implications:
>>
>>     0. If you expect your programmers and sysadmins to go through hoops to
>>     make their code secure, then there will either be a lot of insecure
>>     code or there won't be any newbies (so your language will die).
>>
> There is implication 0.5:
> 
> If you make your code absolutely secure at the cost of making it too
> hard for newbies to use, then no one will be able to afford software
> developers. Or software.
> 
> Windows 8 would cost $500 for the upgrade version and there would be a
> lot fewer open source projects in the world.
> 
> As with anything, it is a cost-benefit balance.  You could spend 3 years
> debugging your code and make sure it is airtight, or you can get it out
> the door today and get your paycheque.
> 
> What is security worth to you in time and $$? That is going to determine
> how secure your code or website is.

This is the all too typical pay me now or pay me later syndrome. And 
Paul is lamenting the pay me later problem. And who can blame him.

To your point, the poor developer chooses pay me later, and is 
probably long gone when that moment comes. And if not, then it becomes 
a new project, with new funding, and a new schedule.

Really, we're not talking about developers in this thread, but those 
holding the purse strings willing to up-front fund education. And in 
this uncertain world of whether the app will be in use tomorrow, or 
whether or not today's development tool / environment / language will 
even be in use or around tomorrow, it doesn't happen.

Moreover ... to what extent, really, has bad code really bitten?

One could almost think of good coding practices as a warranty. And in 
today's environment purchasing an extended warranty doesn't always 
make sense - if you drop it or it breaks, it'll be cheaper next year, 
if this version, and not some new and improved one is out, is even 
available.

How many devices that work just fine are being repurchased today, just 
because GSM has now been integrated?

More information about the kwlug-disc mailing list