- Keep alive » »
- « « AV on Mac
Can good programmers be part of a SDLC?
I’ve just read this small article from Paul Graham, called “The other half of ’Artists Ship’”. The key point of the text is this:
“For good programmers, one of the best things about working for a startup is that there are few checks on releases. In true startups, there are no external checks at all. If you have an idea for a new feature in the morning, you can write it and push it to the production servers before lunch. And when you can do that, you have more ideas.
At big companies, software has to go through various approvals before it can be launched. And the cost of doing this can be enormous—in fact, discontinuous. I was talking recently to a group of three programmers whose startup had been acquired a few years before by a big company. When they’d been independent, they could release changes instantly. Now, they said, the absolute fastest they could get code released on the production servers was two weeks.
This didn’t merely make them less productive. It made them hate working for the acquirer.”
Assuming that writing secure code and the complete Secure Development Life Cycle can be described as “checks” and “controls”, it would be natural to assume that good programmers don’t want to work for companies with a SDLC in place. That is certainly an important thing to consider when considering a more secure approach to software development.
We know that a SDLC works for generating more secure code. But can we keep the good programmers while doing that? Can this issue be a problem big enough to make a company choose to not implement a SDLC?
IMO, SDLC and pair programming are good to avoid that the mediocre programmer makes mistakes alone. But when you have a good programmer (good programmers are not that one that can code faster with a good logic and etc. Good programmers must understand and be used with security programming) its really boring, time consuming and expensive, to tutor a beginner (in a pair programming) or to answer a lot of checklists and do meetings with security guys that sometimes dont even have clue over what they are talking about. The real problem is: In big companies is not rare to find real bad, lazy and beginners as “seniors” developers.
December 2, 2008 @ 2:08 pm
To me, this issue will be addressed when a “good programmer” as described in the article above recognizes that his/her contribution as a professional extends beyond writing good/interesting code. In my opinion, a professional is one who applies his/her skills to the task at hand as part of the broader organizational effort. When the programmer (or the network admin, or the database guy, or anyone else in IT) realizes that the objective is to support the organization – and not show off skills (or skillz) – then we can have better participation in SDLC/Change Management/Quality Control/…
Perhaps it’s time for instituting errors & omissions liabilities to IT professionals? That can also be a nice wake-up call to produce robust output (code, network, etc…)
December 2, 2008 @ 10:10 pm