Back to list
Re: "Selling" a code-audit.
Sep 20 2004 05:00PM
Adam Shostack (adam homeport org)
On Wed, Sep 01, 2004 at 04:36:10PM -0700, Michael Howard wrote:
| Not calling the developers 'morons' is a good start :)
This is true, but maybe comparing them to MS developers would be.
If you live in a MS-centric world: "Microsoft stopped shipping
unreviewed code. Don't we want to be like them?"
If you live in a *NIX-centric world: "Even Microsoft does code
| Seriously, you have to change culture. People have to realize that the
| quality of their design, code, tests and documentation is paramount.
| Once people accept a culture change like this, everything becomes pretty
| So the next question is how do you change the culture? Simple - you hit
| the top brass, this is what we did here at Msft. My group started making
| its best progress when we had buy-in from billg and steveb, and the
| other senior execs.
I think that there were a confluence of things that led Bill to his
support for you. If a company doesn't have those things (and I'd love
to hear what the ones that made a difference in Microsoft's decisions
were), then you need other cultural drivers.
This could be selling a leading or respected group on reviews. It
could be measuring bugs found before/after ship, and seeing how much
time is saved, and how much happier customers are, if they don't have
It might also be helpful to use objective standards. Something like
RATS or Splint has issues, but its also objective. No one can claim
that RATS is treating them unfairly. It also allows you to focus
reviews on things like RNGs, design compliance, etc.
Going back to my comparison theme, it may help to point out Kerberos,
or OpenSSL's history of security issues. the context is that all code
has issues sometimes, and your shared goal is fewer shipped bugs.
[ reply ]
Copyright 2010, SecurityFocus