Developing secure software. Was: Re: [Dshield] DCOM morning after

Kenneth Porter shiva at
Thu Aug 14 20:56:54 GMT 2003

--On Thursday, August 14, 2003 2:02 PM -0400 "Jon R. Kibler"
<Jon.Kibler at> wrote:

> Usually, by the beginning of the third day, the software types would start
> complaining "Why do we need all these written requirements, design models,
> test plans, and other documentation? We have some idea what the customer
> wants, why can't we just start writing code?". Answer: Because without all
> this paper work, you really cannot say exactly what it is the customer
> wants, and exactly how it works. Plus, you have no way to prove what you
> produce is exactly what the customer said they needed.

"Some idea"? :D In my experience, the *customer* doesn't know what he wants,
so how could the programmers? It usually takes a few iterations of prototypes
before the customer gets it together and settles on a set of requirements.
Then the issue arises whether any of the work done on the prototypes can be
recycled into the real product.

More information about the list mailing list