I think most here agree to a certain point. Writing software is impossible without errors. I also feel that holding a gun at the head of a developer in order to 'persuade' him or her to write better code is not going to help. We are after all humans, we need motivation and stimulation in order to get better at what it is we need to do.
However, what is more important is that the processes surrounding the software that needs to be produced, whether result of a client requirement or as part of a new idea, is sound and helps to avoid and remove errors.
Developers have an obligation to take note of known exploits, known attack vectors, and make sure to avoid these pitfalls. But it is impossible to predict all types of attacks, so the processes that govern the requirement gathering, designing, development, testing and the continued maintenance on the software once released are equally important. The whole organisation is part of that quality and security process, not just the developer. Plus, the cost of the production of the software is a very important consideration.
In light of this I found the old article about the space shuttle software development extremely interesting. It clearly shows that it IS possible to write near-perfect software, but that has its price. But a well-driven development organisation is in principle capable to produce solid, error-free code. By adjusting the mindset of people and modifying the processes that introduced errors.
Read it if you don't know it yet, it is a very nice article that I keep in my bookmarks...
Slashdot Mirror
I think most here agree to a certain point. Writing software is impossible without errors. I also feel that holding a gun at the head of a developer in order to 'persuade' him or her to write better code is not going to help. We are after all humans, we need motivation and stimulation in order to get better at what it is we need to do.
However, what is more important is that the processes surrounding the software that needs to be produced, whether result of a client requirement or as part of a new idea, is sound and helps to avoid and remove errors.
Developers have an obligation to take note of known exploits, known attack vectors, and make sure to avoid these pitfalls. But it is impossible to predict all types of attacks, so the processes that govern the requirement gathering, designing, development, testing and the continued maintenance on the software once released are equally important. The whole organisation is part of that quality and security process, not just the developer. Plus, the cost of the production of the software is a very important consideration.
In light of this I found the old article about the space shuttle software development extremely interesting. It clearly shows that it IS possible to write near-perfect software, but that has its price. But a well-driven development organisation is in principle capable to produce solid, error-free code. By adjusting the mindset of people and modifying the processes that introduced errors.
Read it if you don't know it yet, it is a very nice article that I keep in my bookmarks...
http://www.fastcompany.com/node/28121/print