« Network IPS Systems - still worth buying? | Main | On the road again »

The First Rule of Programming: It's Always Your Fault

I still dabble occassionally with programming in my spare time when I get the opportunity. I enjoy writing code but I don't profess to be particularly good at it - I could make things work but I would take all the short cuts that usually form a good part of the software security presentations that I give thse days and write about. An example I recall with no small amount of embarrassment was in my days leading the development of website a number of years ago. A frantic call from the QA team alerted me to the fact that all of a sudden, whenever anyone tried to log in, the full database connection string was being displayed in the browser - IP address, username, password, the works.

I launched an immediate investigation and began tracing through the history in the Source Safe database (Microsoft Source Safe is software used for managing project code). The location where the guilty code was contained was quickly found, but who was to blame? Yes, yours truly had left some debug code behind. It was my fault. And that leads me neatly to this great blog from Jeff Atwood entitled "The First Rule of Programming: It's Always Your Fault."

Statistically, you understand, it is incredibly rare for any bugs or errors in your software not to be your fault.
Programmers have a tendency to become very defensive about their work. Recently, when being asked to discuss how his code was working, a programmer in one team I'm familiar with retorted to a project manager "I'm here to write the code not justify it." That's the same sort of attitude that makes exclamations such as "there's no risk" and "it's never been hacked before." But the point that Jeff makes is one I wish programmers everywhere would take to heart: "If you truly aspire to being a humble programmer, you should have no qualms about saying hey, this is my fault-- and I'll get to the bottom of it."

These days I live by two rules: 1) Never assume anything 2) If you don't check then it hasn't been done.

As ever, for any and all decent guidance on developing secure software I recommend the OWASP web site.

Tags:

Posted by Stuart King on March 23, 2008 10:36 AM
| View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/23953

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on March 23, 2008 10:36 AM.

The previous post in this blog was Network IPS Systems - still worth buying?.

The next post in this blog is On the road again.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 1.53