A reader’s elaboration of my “better engineers” argument

Dale Hunscher commented on my earlier posting about best language selection for HIPAA security. He made my point better than I did so I thought I’d raise the comment to a level where everyone can see it.

I agree with the post about the need for “good developers”, but I think that needs clarification, by way of expanding on Administrator’s comment above. Many programmers/software engineers have no real understanding of what kinds of programming practices create security holes. Most are subtle errors, and of little interest to developers since they usually require attention to details that do not add to the feature set in any visible way, and no challenging algorithmic problems are involved.

In my domain, clinical research informatics, HIPAA is another area where developers commonly have misconceptions, especially with respect to creating deidentified and limited data sets. The rules are arcane and even less interesting to programmers than security.

Developers who have this level of knowledge are hard to find, and when you encounter them they usually have the level of experiential wisdom that transcends any given programming language or environment. Give them well-defined requirements and definition of applicable constraints, and you will get a secure system.