Further to the Bridge Example (and any other construction); there is a great deal of external oversight involved here. The plans will be submitted to the planning departments, and building control of the local council (at least in the UK). They will be scrutinized by these external systems long before any planning/building approval is given to the project to even begin. [Are the foundations deep enough. Will the soil support those foundations? Is there access to the Sewerage system? Are there enough Fire Exits etc. To civic issues - Are you cutting down too many trees? Is there enough parking for the proposed use? Etc.]. Plans will be sent back and forth to the Architects until they are satisfied. When the initial foundations are laid, someone will come from the council's planning department to oversea this and make sure that the correct consistency of cement is used and the correct depth is dug etc. Numerous different regulations need to be satisfied before and during the construction project.
Software projects are way behind that level of oversight! Ys P.S. My dad is an Architect, so I spent MANY Summers on building sites, in my youth... :-) -- Yousef Syed -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Rohwer Sent: 10 April 2005 23:01 To: [EMAIL PROTECTED]; 'Margus Freudenthal' Cc: 'Secure Coding Mailing List' Subject: RE: [SC-L] Re: Application Insecurity --- Who is at Fault? I my humble opinion, the bridge example gets to the heart of the matter. In the bridge example the bridge would have been design and engineered by licensed professionals, while we in the software business sometime call ourselves "engineers" but fall far short of the real, professional, licensed engineers other professions depend upon. Until we as a profession are willing to put up with that sort of rigorous examination and certification process, we will always fall short in many area's and of many expectations. Ed. Rohwer CISSP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 08, 2005 10:54 PM To: Margus Freudenthal Cc: Secure Coding Mailing List Subject: [SC-L] Re: Application Insecurity --- Who is at Fault? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Margus Freudenthal wrote: >> Consider the bridge example brought up earlier. If your bridge builder >> finished the job but said: "ohh, the bridge isn't secure though. If >> someone tries to push it at a certain angle, it will fall". > > Ultimately it is a matter of economics. Sometimes releasing something earlier > is worth more than the cost of later patches. And managers/customers are aware > of it. Unlike in the world of commercial software, I'm pretty sure you don't see a whole lot of construction contracts which absolve the architect of liability for design flaws. I think that is at the root of our problems. We know how to write secure software; there's simply precious little economic incentive to do so. - -- David Talkington [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFCV24Q5FKhdwBLj4sRAoC9AKCb6j5dKOLgFwDMuVa8giSbMvmW2gCfdwn7 QcS6J7NVPFsISzhLoBgQWHM= =0ZSy -----END PGP SIGNATURE-----