I'm not smart enough to know what the problem is. But you know what - I don't need to be smart enough. If a problem is so obscure that I am unable to discover it through analysis, either because I lack the knowledge or the skill, then I should have another skill : be able to isolate the problem.
Once I know where the problem is coming from, I can change the affected routines in such a manner that they don't cause the same error.
If I faced such a problem in the real world, it would take too long to really understand the bug. It's much faster to isolate the bug and then force a whole big area of the code out and rewrite it in a different and simpler manner that would not cause such a bug.
Exactly. That's the problem with security exploits. They are typically edge cases, but whereas the typical edge case affects only a tiny subset of users who accidentally run into it, a security exploit edge case is purposely sought out by malicious users and can potentially affect your company and every other user very negatively. It's the difference between a gas-powered range that has a slightly uneven heat across the burners and a gas-powered range that can be re-programmed through the internet to fill your house with gas that is then set on fire.
If you (or your coworkers) wrote the bug once, and you don't make an effort to understand what the bug is, how do you know you won't write it again somewhere else?
I think an attitude of trying to leap over gaps in your knowledge is really destructive. Where do you draw the line at "this is too much trouble to understand, I just won't bother?" It's our job to understand the machine to the best of our ability.
I think "wait til it happens and then workaround it" is a pretty bad strategy - by the time you find out about the problem (if you even do), it might have cost you huge amounts of mony, lost business, customer's data, etc, etc.
Once I know where the problem is coming from, I can change the affected routines in such a manner that they don't cause the same error.
If I faced such a problem in the real world, it would take too long to really understand the bug. It's much faster to isolate the bug and then force a whole big area of the code out and rewrite it in a different and simpler manner that would not cause such a bug.