Bill Gates Calls for Security Code Reviews

Bill Gates has ordered all code development at Microsoft to stop for the next 2 weeks and for programmers to hold code reviews of existing code to check for security-related problems as a means of curbing Microsoft's propensity to release code with security holes. I will give Bill Gates the benefit of the doubt that he is serious in this approach, but as an experience developer and quality assurance specialist, I believe he's wasting Microsoft's time and money and will only gain a short term public relations boost.

Having sat through many code reviews held by code developers, I can state with certainty that little will be found as no one will pay much attention to design and code issues and instead look at each page of code and say "Yup! That looks like code". What was needed before the code was written was a detailed design document showing how the code would be implemented. No one in code development seems to have the time for this most important of documents. Instead they prefer to code on the fly with little thought to security considerations.

What Microsoft and every code development organization needs, is a quality assurance group with expertise in testing for security, as well as the usual other considerations. A group that can objectively verify a product before it is released as a beta or customer product. Unfortunately, that process takes time . . . . making it something few code development organizations have any interest in.

02/14/02 ( 334 )
© Copyright 2000-03 www.mypov.org - All rights reserved.