Being able to predict what the _user_ will be thinking is also
an important skill for a programmer to have.

Kragen Sitaker [kragen at pobox.com] said:
> Previously, I hadn't understood the psychological aspect of
> code-reading --- you have to understand not just what the code does,
> but what the previous programmer or programmers were thinking when
> they wrote it.

This echoes of some of the things I've read in The Art of Software
Security Assessment. It's been a few months, so I'm paraphrasing, but
they're basically saying "To really get good at this code auditing
thing, you've got to start thinking the programmer that wrote the code
being audited". Then you'll be able to know what other classes of
vulnerabilities (or corner cases in classes of vulnerabilities) the
authors are likely to have over looked.

--paulv