back to testing

Since starting this blog a couple weeks ago, I’ve received more comments via email than have been posted on the blog. Many more.

It reminds me of when I was a professor and ended every class with “anyone have a question?” Silence almost always followed that query only to have students line up after class with questions. There is something about one on one interactions that just seems pleasing to people. I tried to take the time to remember the questions so I could answer them later for the entire class when I thought those answers would be generally helpful.

Well, this is the blogging business, not the teaching business and I wonder how much of any of it is helpful, however, the question that has come most frequently to my inbox is ‘what made you leave security to come back to testing?’ Perhaps the answer has some claim to general interest.

That answer: ignorance.

In fact, ignorance was what sent me the other direction back in 2000 when my friend and colleague David Ladd (who blogs here) tweaked my interest. Ignorance is core to progress in science, Matt Ridley explained it best: “Most scientists are bored by what they have already discovered, it is ignorance that drives them on.’ When David laid out the wonder of security testing (and in that sense I never really left testing) to me and I was hooked. This is an important problem in a field I know nearly nothing about. Eight years, two patents, two security books, more than a dozen papers, and two startups later I have to admit I became a bit bored.

In some ways security is getting easier. Many of the problems with security are of our own creation. Buffer overflows, for example, never had to happen. They were a result of poor implementation of programming languages. Viruses didn’t either for other reasons. Microsoft and many other companies are changing the game. Better compilers, hardened operating systems, and managed code have made many security problems simply vanish. Virtualization and cloud computing will continue this trend. Ignorance is being replaced with knowledge and nowhere is that more noticeable than in security.

When I heard Visual Studio was looking for an architect for the test business, I found my juices stirring … the siren call of unbounded ignorance.

Working in security made me realize just how hard testing really is. Testing is not a problem created by humans; it’s the nature of the beast. It’s part of the very fabric of the computer and the network in their infinite possibilities. In fact, someone wondered in another private exchange if I found much had changed in my eight years ‘away.’ ‘No’ was my answer ‘and I did not expect to.’ Security has changed so fundamentally in eight short years that had the situation been reversed and it was security I took a sabbatical from, my skills would likely be suspect. Instead I find myself working on much the same testing problems as I had before.

This is not an indictment of any testing researcher, practitioner or testing in general: it is a nod to the complexity of the problem. There is a lot of ignorance to keep all of us busy trying to find the right knowledge with which to replace it. But we cannot let the seeming lack of progress deter us from working on one of the loveliest scientific problems of our time.

Thanks for asking.