On Sun, Jul 7, 2013 at 3:25 PM, CodesInChaos <codesinch...@gmail.com> wrote: >> So introductory-level programming course mistakes are right out. > > In my experience it's quite often a really simple mistake that gets you, > even when you're an experienced programmer. I'm quite afraid of simple > off-by-one bug,
This thread started off with discussion of peer review, so I have shown that even expensive, well-qualified peer review (and I am sure that Veracode people are qualified) didn't help in this case. There is a misconception as to what peer review is supposed to achieve, and what it can't deal with, and I believe this misconception is similarly true for both academia and engineering. Academic peer review is not supposed to deal with fraud. Engineering peer review will have a hard time dealing with incompetence (unless talking about a specific notion of peer review where e.g. a team lead seats with a junior programmer, closely reviewing every commit after thorough discussion). The examples you have given are either algorithmic mistakes (nonce reuse) or frequent mistakes due to lack of attention (off-by-one). Both can be handled with during peer review — expert analysis in the first case, and e.g. automatic static analysis using proprietary tools and extensive testing in the second case (which I guess was partly what Veracode did). But if you do something stupid, peer review probably won't help, unless the reviewer is ready to do something akin to implementing everything from scratch himself, and thoroughly comparing the implementations. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech