I did not intend for this to mean that no 22 year old can
write good, secure code, and I'd like to apologize to those who felt I
did. Several of you have written to me to explain where you thought I
was wrong; thanks for keeping it in private mail, and not opening a
flamefest.
I do feel that a good many people lack the experience that
lets them write good security code. Writing good security code is, I
think, a matter of practice and experience, both in attacking and
defending a system. One of the things that often leads to experience
is a few years working on security matters. Several people reminded
me that many undergraduates do just that. :)
Adam
Earlier, I wrote:
| Mosaic had a major problem based on its extensive use of the
| system() call. It allowed rude WWW servers to run arbitrary commands
| on your machine when your Mosaic client conncected to them. I don't
| trust the Mosiac source, it was written by a 22 year old. (Not to say
| that 22 year olds can't write secure software, simply most don't have
| the experience, mindset & skill to know what the attacks are likely to
| be, know that preventing them is a really good idea, and then be able
| to code things well enough that the attacks are actually blocked.)
|
|
