[lbriner]

I think the challenge is that unless you consider and write the tests first, it is easy to create tests that pass. Test ssl verify? Easy, just mock it returning 1 and the code passes. In real life, however, maybe the return value is -1 and maybe that doesn't work.

Maintaining tests for these sizes of projects is probably quite arduous too. I don't disagree but I still think there are many genuine reasons there are no/not enough tests around this sort of code.

[gleenn]

Genuine reasons but ones that still aren't good enough right? There shouldn't be some bar where it was just so difficult on the developer to ship broken security code. If it's that hard, stop writing critical software components and go home.