

Is poor software development the biggest cyber threat? - USNetizen
http://www.csoonline.com/article/2978858/application-security/is-poor-software-development-the-biggest-cyber-threat.html

======
orionblastar
It could be that poor software development is at least a factor in the biggest
cyber threat.

Problem is a lot of people get into programming and take beginner courses in
various languages without learning how to debug or do security checks or
quality control.

When I worked in the late 1990s, I was hired because I could fix bad code and
make it work better. I knew how to do quality control checks, how to validate
inputs to strip out SQL code and HTML code that is used for injections, how to
check anything submitted by the user before processing it to make sure the
data length wasn't over the limit to cause a buffer overflow, etc.

Things changed and I became a dinosaur. There was no need for programmers like
me anymore, they hired them young right out of high school or college dropouts
and my two degrees didn't matter anymore. I developed a mental illness and
ended up on disability, but I still try to keep up with things.

Management always went for cheaper labor, be it via offshoring work, hiring
H1B Visa workers, or hiring dropouts who can work for less. Cheaper labor
didn't always mean quality work. Shortening deadlines on developers means they
take shortcuts to get stuff done and write sloppy code just to meet deadlines.

My style of programming was out because it took too much time to finish.
Managers wanted products out to market sooner so they could get a jump on the
competition. As a result the code was not tested enough to find the security
holes in it.

The web apps I wrote in 1997-2001 were almost bulletproof, I had developed a
method in writing secure and quality code. They used ASP 3.0 and server side
VBScript, but the whole technology changed to ASP.Net and C# instead. At least
on the Microsoft shops.

Poor management can be a factor in insecure programs if the managers shorten
deadlines and don't hire people to debug and check the security and quality of
the code.

