This site graciously hosted
by our friends at


23 May 2003

To the Editor of CIO Magazine:

I just finished reading Scott Berinato's article ("The Bugs Stop Here", 22 May 2003) on While Mr. Berinato makes several good and valuable points, I believe that he is only addressing the symptoms and not many of the underlying problems regarding developing secure applications.

In the article, Mr. Berinato cites several remedial steps that a software development organization should take in developing secure software, such as screening application source code for known bugs. He further cites an excellent list of the top 10 software coding mistakes that programmers make. The problem here is that software testing is good at pointing out a known and understood set of problems, but it is hopelessly inadequate at detecting the absence of problems.

The critical point that I believe that he misses is that developing high quality, secure software requires a careful and methodical engineering process that starts with sound architecture and design, and proceeds through solid implementation, deployment, and operation of the software. Of course, testing should be done at every one of those phases as well, but it is only one of many aspects of developing good software.

In my book, "Secure Coding: Principles and Practices" (O'Reilly, 2003), my co-author (Mark Graff) and I describe those phases and the thought processes that accompany each. I believe that this "lifecycle" approach to developing software is absolutely vital to developing software that is secure enough to meet our business needs today and well into the future.


Kenneth R. van Wyk

Copyright (C) 2003, Kenneth R. van Wyk. Permission granted to reproduce and distribute in entirety with credit to author.

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.