<[EMAIL PROTECTED]> <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo List-Id: Secure Coding Mailing List <sc-l.securecoding.org> List-Post: <mailto:sc-l@securecoding.org> List-Subscribe: <http://www.securecoding.org/list/> List-Unsubscribe: <http://www.securecoding.org/list/> List-Help: <http://www.securecoding.org/list/charter.php> List-Archive: <http://lists.virus.org> Delivered-To: mailing list SC-L@SecureCoding.org Delivered-To: moderator for SC-L@SecureCoding.org
Dave Paris <[EMAIL PROTECTED]> wrote: > The builder and the programmer are synonomous. > > The builder is neither the architect, nor the engineer for the > structure. If the architect and engineer included "security" for the > structure and the builder failed to build to specification, then the > builder is at fault. > > The programmer is neither the application architect nor the system > engineer. This is often not true, even on some things that stretch a single programmer's productivity to the limits (which makes it even worse). Programmers work within the specs they are given. That can (NOT SHOULD!) be anything from "use this language on this platform to implement this algorithm in this style", to "we need something that will help us accomplish this goal". The latter cries out for a requirements analyst to delve into it MUCH further, before an architect, let alone a programmer, is allowed anywhere NEAR it! However, sometimes that's all you get, from a customer who is then NOT reasonably easily available to refine his needs any further, relayed via a manager who is clueless enough not to realize that refinement is needed, to a programmer who is afraid to say so lest he get sacked for insubordination, and will also have to architect it. If this has not happened at your company, you work for a company with far more clue about software development than, I would guess, easily 90% of the companies that do it. -Dave