Higher-level application modules tend to incorporate higher-level assumptions about the kind of input theyll receive. Developers who dont challenge their own assumptionswriting necessary validation routines and bounding their code with robust exception handlingare begging to be next on the list of "Can you believe that someone still got hit by this?" Network-facing applications invite developers to rely on additional abstractionsa trend thats accelerating with the emergence of frameworks such as Microsofts "Indigo" that offer developers access to immense capability with minimal writing of code.eWEEK Labs concurs with Platos warning: To write a network-facing application while relying entirely on platform abstraction is like driving down a paved highway and looking only at lane markers, oblivious to even the possibility of potholes. One piece of network cable is assumed to be substitutable for any other that meets the same specifications, but enterprise application code is a product of personal creation that reflects personal training, attitude and culture. The culture of programming continues to evolve. Computer science educators have described to eWEEK Labs the changing approach to the application development task that theyve seen in successive generations of students: First-generation developers got their initial exposure to computers in the context of learning to program, while current students are at least as likely to come from a background of playing computer games. The result that those professors see, understandably, is a growing inclination for game-imprinted students to declare success and move on as soon as a piece of code does what its supposed to do. Thats a far cry from considering the things that code might be made to do, let alone crafting it to do nothing that is not actually desired. Development managers may thus benefit, ironically, from the strictures of legislative and regulatory mandates such as the Sarbanes-Oxley Act, with associated demands for precise characterization of IT system function and control. Telling a developer who wrote a piece of code that another developer must deploy it might once have been taken as an insult or at least an unnecessary nuisance, but under SarbOx, it merely becomes the way that things have to be done. IT governance aids such as Mercury Interactive Corp.s IT Governance Center may therefore belong on a development managers next tools budget . Development teams familiar with the disciplines of projects undertaken for the U.S. Department of Defense have a head start on producing highly structured documentation of application and component interactions. Tools such as Telelogic ABs Tau are well-established in such environments and may find growing interest in mainstream enterprise development organizations as well. Development managers must be prepared, however, to make the case for investments in security and IT governance training and tools for their teams. Myths abound, said Anitians Plato, that only certain organizations need to worry about attacks. "Most hackers do not care about your systems," he said. "The fact that you process or store boring or low-priority information does not make you more secure." The kind of security that can be added to the outer shell of enterprise IT is, for the most part, in place. It now falls to developers to understand their role and to development managers to provide needed tools to satisfy intensifying demands for the kind of security that has to be embedded in applications. Technology Editor Peter Coffee can be reached at email@example.com. Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.
Its therefore essential for developers to understand at least the rudiments of both hardware and software infrastructure, warned Andrew Plato, a consultant at Anitian Corp., in Beaverton, Ore. Unfortunately, Plato said, that is not always the case. "I find that development teams have virtually no comprehension of network or infrastructure security," he said. "Ive had developers ask me, Whats an IP address? Whats a DNS server? Youd think theyd know that or want to know that, but they say, I write software."