[MattRogish]

The "experts only" attitude is because, well, as we've seen with HeartBleed, this is VerySeriousStuff.

If the author instead put together a book on how a layperson could perform open-heart surgery, you're damn right that actual surgeons would jump all over it.

There is some strange pervasive attitude/arrogance in tech that all it takes to be good at something is to be smart and give it a try. Why learn the theory/fundamentals when you can just start coding?

For building a web app, sure. But security is not one of those things. You actually need to learn the fundamentals and theory, and even then, need lots of experience.

[thrownaway2424]

That's a very weird lesson to learn from the heartbleed bug. What I learned is cryptography experts should be consulted on matters of math and ignored on matters of software. Any non-zero application of software development best practices would have prevented the heartbleed flaw, including:

1: Don't implement features you don't need. Nobody needs TLS heartbeat. Nobody. Don't implement it until you have a use case and the calling code in hand.

2: Test the features you do implement. What happens if this field is the minimum? The maximum? A power of 2? A power of 2, less 1? Negative when treated as signed?

[duaneb]

You know what else is hard? Writing a book on cryptography. It's all very well and good to point out problems, but there are probably more productive ways to teach people than simply point out what not to do.

[scott_s]

When you are writing about a difficult subject, you should invite reviews from experts to vet your work.

[duaneb]

I'm not disagreeing. I'm just pointing out that a critic is much less useful than an author.

[CocaKoala]

That depends entirely on what type of book is being wrote. If I write a history textbook that goes into intricate detail about the Time Slip of 1662 and the Lost Years, and the eventual Realignment that resulted in the Great London Fire, am I being more useful than a critic who points out that my history textbook is full of factual inaccuracies?

[scott_s]

If I wrote a book on brain surgery, the critics would be much more useful than the author.

[awj]

I'll take one responsible author with one harsh-but-knowledgeable critic over a hundred would-be authors without the ability to sift useful content from polemic criticism.

[duaneb]

Well, I'll take the one responsible author now. Who are they?