It’s about this time of year that I think…
- Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for
- How can we expect people to write secure code when:
- they don’t know what it is?
- they can’t recognise insecure code?
- it’s easier (more clicks, more thinks, etc) to write insecure code?
- What does it take for a developer to get:
- a bad performance review?
- just mildly discomforted?
- What is it about developers that makes us all believe that nobody else has written this piece of code before? (or that we can write it better)
- Every time a new fad comes along, whether it’s XML, PHP, Ruby, etc, why do we spend so much time recognising that it has the same issues as the old ones? But without fixes.
- Can we have an article on “the death of passwords” which will explain what the replacement is – and without that replacement turning out to be “a layer in front of a big password”?
- Should you let your application out (publish it, make it available on the Internet, etc) if it is so fragile that:
- you can’t patch it?
- you can’t update the framework or libraries on which it depends (aka patch them)?
- you don’t want a security penetration test to be performed on it?
- Is it right to hire developers on the basis that they can:
- steer a whiteboard to a small function which looks like it might work?
- understand an obfuscated sample that demonstrates an obscure feature of your favourite framework?
- tell you how to weigh twelve coins, one of which might be a fake?
- bamboozle the interviewer with tales of technological wonders the likes of which he/she cannot fathom?
- sing the old school song?
Ah, who am I kidding, I think those kinds of things all the time.