Gary McGraw wrote:
> We had a great time writing this one. Here is my favorite
> paragraph (in the science versus alchemy vein):
> "Both early phases of software security made use of any sort
> of argument or 'evidence' to bolster the software security
> message, and that was fine given the starting point. We had
> lots of examples, plenty of good intuition, and the best of
> intentions. But now the time has come to put away the bug
> parade boogeyman, the top 25 tea leaves, black box web app
> goat sacrifice, and the occult reading of pen testing
> entrails. The time for science is upon us."
I might agree with your quote of "The time for science is upon us." if
it were not for the fact that the rest of computer science / engineeering
is far ahead of computer security (IMO), and they are *still* not anywhere
near real "science", at least as practiced as a whole. (There probably are
pockets here and there.) For the most part, based on what I see in industry,
I'm not even sure we have reached the alchemy stage! (Compare where most
organizations are still at with respect to SEI's CMM. The average is probably
Level 2. Most organizations no longer even think of CMM as relevant.)
My observation is that very few people in the IT profession--outside
of academia at least--belong to neither ACM or IEEE-CS or any other
professional organization that might challenge them. I question, on
a professional level, how much we are going to progress as an industry
when most in this profession seem to think that they do not need anything
beyond the "Learn X in 24 Hours" type pablum. (Those are fine as far
as they go, but if you think that's all that's required to make you
proficient in X, you have surely missed the boat.)
Please note, however, that I do not think this mentality is limited
to those in the IT / CS professions. Rather, it is a pandemic of this age.
Anyhow, I'll shut up now, since this will surely take us OT if I persist.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
kevin.w...@qwest.com Phone: 614.215.4788
"It is practically impossible to teach good programming to students
that have had a prior exposure to BASIC: as potential programmers
they are mentally mutilated beyond hope of regeneration"
- Edsger Dijkstra, How do we tell truths that matter?
http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
