The software professional vs the software artist

Developers with a creative streak don't get to opt out of security.

I hope that James Turner’s post on “The overhead of insecure infrastructure” was ironic or satiric. The attitude he expresses is all too common, and frankly, is the reason that system administrators and other operations people can’t keep their systems secure.

Why do we have to deal with vulnerabilities in operating systems and applications? It’s precisely because of prima donna software developers who think they’re “artists” and can’t be bothered to take the time to do things right. That, and a long history of management that was more interested in meeting ship dates than shipping secure software; and the never ending and always escalating battle between the good guys and the bad guys, as black hats find new vulnerabilities that no one thought of a week ago, let alone a few years ago.

Yes, that’s frustrating, but that’s life. If a developer in my organization said that he was too good and creative to care about writing secure code, he would be out on his ear. Software developers are not artistes. They are professionals, and the attitude James describes is completely unprofessional and entirely too common.

One of the long-time puzzles in English literature is Jonathan Swift’s “A Modest Proposal for Preventing the Children of Poor People From Being a Burden on Their Parents or Country, and for Making Them Beneficial to the Publick.” It suggests solving the problem of famine in Ireland by cannibalism. Although Swift is one of English literature’s greatest satirists, the problem here is that he goes too far: the piece is just too coldly rational, and never gives you the sly look that shows something else is going on. Is Turner a latter-day Swift? I hope so.


tags: , ,
  • The fundamental complaint is sound – application developers SHOULDN’T have to spend time working on security. The software stack that you’re building on top of SHOULD make it impossible for an application to allow system compromise.

    But it’s flatly ignorant to not realize that that sort of stable/secure stack is not conducive to innovation or creativity. Cobol apps running on 3270 green screens without any physical connections to other machines are damned secure. Not a lot of ART or creativity in those apps, however.

  • Ted Taylor

    Did you even read his entire article Loukides? Or just the last paragraph? Do you have any thoughts on his call for secure infrastructure?

  • There are quite a few developers out there like this and can’t be bothered by securing the infrastructure

  • jeff

    A classic case of people talking past one another.

  • Peter Booth

    As someone whose career has been a constant back and forth between developer and system roles, I’m very familiar with both perspectives.

    There are many technologists who start out from a position of “the platform will take care of security/performance/availability for me.” This thinking is reinforced with newer higher level platforms that attempt to do just that. (JEE, ORMs, Rails, etc). Of course there are always gaps, and they usually appear at the worst possible time.
    I no longer believe that this situation can be changed- I think it’s human nature. Some geeks will embrace end to end responsibility and all that entails. Others will deliver much value within their world view, whilst leaving a mess for the first group to cleanup. The split isn’t always admins and developers, but it often is.