How to build a better "Death Star".

Gary posted on SCL about an interesting article discussing blackbox testing, and better ways of approaching it. More importantly (and more funny) was the analogies used for the effectiveness of black-box testing:

"When you do a black-box test, you're sort of firing this bullet into the software through the front door," McGraw says. "All you really know is that it went down in there somewhere and something bad happened. You're like Luke Skywalker shooting that thing into the Death Star. It blows up, but you don't really know why."

... and then of course a better way to do it with Tracer:

"Tracer is about helping you to diagnose the problem, instead of just letting you know that you're in trouble," McGraw adds. "It's a great segue way from the current practice of relying on your badness-ometer to actually doing something about software security. It shows you which part of the application is blowing up so that you, as a developer, can build a better Death Star."

Of course, being that Gary sits on the board of Fortify, he has some interest in discussing this. But it does make for an interesting piece. :)