> Maybe the test shouldn't focus on code at all? If we can agree that many > flaws are found at design time even before code is written (Yes, most > folks still use waterfall approaches but that is a different debate) > then why can't questions occur at this level?
It was decided early on that this test would have a heavy emphasis on coding, since programmers who've just entered the workplace (the target examinees) are not likely to be heavily involved in design. While this decision was not unanimous, many of the core contributors agreed with this philosophy. Obviously this leaves a few gaps with respect to secure software development, which I'm sure will be addressed by someone somewhere, sometime. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
