

'Fixer-developers' needed for web apps - outside1234
http://www.scmagazine.com.au/News/318760,rsac-fixer-developers-needed-for-web-apps.aspx

======
relix
> "You won't find good engineers interested [in fixing vulnerabilities]. It's
> a waste of their talent."

> "He said engineers dedicated to coding will not devote time to fixing bugs."

Unless he meant to say finding the bugs or doing quality assurance, this is
very elitist. Engineers dedicated to coding should fix bugs they themselves
created, because it means they know the source code better than anyone, and
will be able to do so with minimal effort and minimal side-effects.

Saying it's a waste of their talent made me puke a little. Coding _is_ fixing
bugs. It's a big part of development, and often takes the hardest work or most
thinking. You can't just start throwing code around and expect someone else to
come around and fix your bugs for you. That's ridiculous and will probably
result in a culture where new bugs are created faster because there's no
responsibility.

> "You have to analyse the vulnerabilities of these apps and understand
> attacks, at a very fast speed. We don't have that time anymore."

If you're coding a web app and you're (calling yourself) a topnotch engineer,
you should understand the basics of web app security, and how to avoid the top
attack vectors such as XSS, SQL injection, XSRF, etc... You really have no
excuse not knowing about them, and should from the ground up code the app to
avoid these vulnerabilities. Saying it'd be a waste of talent just doesn't
make sense, because if you have any talent in coding, then you know about
these, and you know how to code the app without creating them. It's like a
reflex.

My conclusion: this CEO Philippe Courtot is full of shit.

------
scotty79
> He said engineers dedicated to coding will not devote time to fixing bugs.

That's so corporate. Engineer will do whatever is necessary to make the
goddamn thing work properly.

I briefly worked at software production division of some corporation. They had
funny attitude. They were building their apps in the scrum process fixing bugs
as they went (reluctantly because, no story points for bugfixing and everyone
loves points even though it's just a planning tool not performance measure)
but when the project was considered done (by whoever made such decisions) it
was promptly forgotten as if it was just perfect. As if they weren't aware
that the piece of software they just architected and engineered is bug ridden
piece of crud, as every software is until you spend a at least year with your
users weeding bugs out.

------
greenyoda
"You won't find good engineers interested [in fixing vulnerabilities]. It's a
waste of their talent."

If developers know that they'll have to fix their own bugs, hopefully they'll
be more careful there will be fewer bugs. Also, developers fixing bugs in
their own code are less likely to introduce additional bugs than people fixing
bugs in code they don't know well.

Also, if these developers are really so talented, why do they write code
that's full of vulnerabilities?

