More Redmond Developer Network Sites >>> VisualStudioMagazine.com | ADTmag.com | Events
Close this Advertisement

Response Chain

Dangerous Errors Demand Real Investment

Writing and testing secure code demands sufficient time and compensation.

RDN recently reported on a SANS Institute and MITRE Corp. list of the 25 most dangerous programming errors. Redmond Developer Newsletter readers respond to panelist Ryan Barnett, director of application security research for Breach Security Inc., concerning the need for security to be part of dev contracts.

Barnett is dead on in this article. No developer is going to worry about errors as long as they don't affect his checkbook. In fact, I know one developer who specifically ignores errors. If his client doesn't ask for secure code, he assumes they know what they're doing -- if not, it's another contract. If they do ask for secure code, he figures that into the contract price. Either way, he makes sure he gets paid for it. Everyone's looking for the lowest possible price, so he feels he's cutting his own throat if he doesn't operate this way.


Thomas Higgins
U. S. Steel, Network Operations Center
Pittsburgh, Pa.

Developers are constantly working against unrealistic deadlines imposed from above by clueless managers and business owners. Sure, if a realistic deadline was agreed upon there would be time for complete defect checking, but at least in my world, there's barely enough time to get the functional requirements worked out within deadline -- unless you put in 16 to 18 hour days and forget about sleeping.

I'm getting 40 percent to 60 percent less compensation for current projects than I was getting five years ago. Now my clients will want to include a "secure code" clause in their contracts and shrink the deadlines? This is getting dangerously close to the point where I decide that it isn't worth it and hit the road as a working musician.

Developers must get -- in the initial contract -- enough time and compensation to do the job right. If the initial contract is for three months at $50,000 for full functionality, then add another month to the deadline and another $10,000 to the bottom line for complete defect checking. Only then will you "magically" see programmers produce secure code.
Gary Raehse
Independent Consultant
Bayside, N.Y

Reader Comments:

Add Your Comment:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Free Whitepapers

> More TechLibrary

Free Webcasts

> More TechLibrary