I am getting really confused. A lot of people on this list seem to
think that testing is a theoretical thing that you do to stop
theoretical threats, and that practical programers don't need to do
testing because they can look at their code and know it's right.
Unless there has been a revolution in information technology that I
am not aware of, this is completely backward and counter to all of
the real-world history of information-technology. Nevertheless, I
have attempted to capture this in the following paragraph, and ask
for comments from the list readers:
Most of the firewall vendors and other people on this list write
programs, never test them at the boundary conditions, and assume that
they works properly because the code looks right to them and seems to
work when they try it on their application. When someone asks about
boundary conditions, they say they have never tested it, but that they
looked at the source code and figure it will work the same way under
high stress conditions as under normal load conditions. The lack of
experimental confirmation presents no problem for the producers or
consumers and presents no impediment to the purchase of a firewall from
such a vendor.
--
-----------------
\Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
\ /\/ | Check out info-security heaven and test your system
\/\ /\/ | for known vulnerabilities (1st time for free) at URL:
\/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080
-----------------
Read "Protection and Security on the Information Superhighway"
-just released by Wiley and Sons-
Follow-Ups:
|
|
