Discussion in 'other security issues & news' started by Dermot7, Feb 9, 2012.
Hmm... so what he's saying is we should keep on churning out crappy programs. Then we should test them (which is shockingly difficult & ineffective by the way). Then we spend a huge amount of time & money fixing the crappy code.
The whole process seems backwards to me: create something broken and then try to fix it. That's like getting pregnant then buying condoms.
Call me crazy but maybe we should collectively STOP WRITING CRAPPY PROGRAMS IN THE FIRST PLACE. Did the author consider architecture in his analysis of application security measures? If you start with a good architecture that builds in the prevention of known security flaws (even really basic like escaping user input), then there may be less reason to security test it afterwards. Never mind that programmers should know how to avoid writing code with basic vulnerabilities. Whose responsibility is it to make sure they know that (or care)?
Ha! Just saw this thread
Which is pretty much what I was ranting about.