Lessons Learned About Bugs And Software Quality - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
04:11 PM

Lessons Learned About Bugs And Software Quality

Fundamentally, what the Kama Sutra worm and all the other viruses and attacks come down to is the awful state of software quality in general.

During the month I spent reporting a story about Linux vulnerabilities (as yet unexploited), I found myself surprised on occasion.

I thought others might find some value in what I discovered along the way. So here goes.

  • After years of buying into the accepted wisdom that Microsoft is the bogeyman when it comes to software quality, I found that isn't true. The overwhelming consensus by the security experts I talked to is that Microsoft's code is no worse than any other vendor's. Instead, the reason Windows gets slammed so much is that it runs on 96% of the world's desktop machines, and users are nowhere near as persnickety as server admins when it comes to security. Put another way: malware creators get into enterprises by means of the desktop. Going back five years and longer, sure, Microsoft (and everyone else) was mostly focused on adding ever-more features and functions in its software, and that philosophy meant debugging and security took a back seat to added functionality. But that's pretty well behind us now, the security gurus said, and the number of worms and viruses has more to do with how much code is in any given piece of software and how new the code is. So when you've got a bazillion lines of code in Windows, and it's constantly updated, you've got a virus-factory in the making.
  • The paragraph immediately preceding this one is going to cause some who hate Microsoft to sputter and call me names. So be it. Another thing I learned is that many people are in love with their operating systems, on both sides of the divide. But hey, it's just software, folks. If it solves a problem, great. But all of it, just by virtue of it being software, has bugs and security holes and we're not making fun of someone's mother here. Let's lighten up on the religious wars, shall we?
  • To be taken as seriously in the enterprise as other software, some in the open-source community need to grow up a bit. When asked about security or other issues, it's not good enough to say 'the other guy is worse.' That's not an answer. And it's actually a compliment when people want to know how open-source stands in relation to others on key enterprise issues; it means potential users are looking at it in the same way they look at any other software. And isn't that the whole point?
  • Some of the vulnerability numbers published by the much-vaunted CERT organization are, when it comes to Linux anyway, to me suspect and pretty much useless. Apparently, and I say 'apparently' because nobody from that organization would talk to me about this despite six phone calls seeking comment, the CERT numbers count any given vulnerability each time it appears in any Linux distribution. So if the same flaw appears in, say, both Red Hat and SuSE Linux, it's counted twice. I don't know why they do this. But it makes comparing the numbers between and among operating systems downright impossible and, as we all know, one number standing by itself doesn't tell you much.
  • As Linux spreads throughout Corporate America and is used for new applications, it's bound to become a much more attractive target for malware makers. Particularly at risk are Linux appliances that may not be patched often. Also, Linux techies may be opening the door to more risk by grabbing a cool tool off a site somewhere. Who knows where that tool has been, quality-control wise? Think of this as an early warning. Around 70% of successful hacks happen due to human error--things like setting the administrator's password as "administrator." Linux has been lucky so far, but it's time to look at processes, system settings, and other things to make sure they're as buttoned-down as possible<.
  • Fundamentally, what the Kama Sutra worm and all the other viruses and attacks come down to is the awful state of software quality in general. Clint Kreitner, president of the Center for Internet Security, says that buyers have for too long accepted a very low quality level in the software we use, and that we're reaping what we sow after years of pressuring vendors to give us more features. "This isn't about evil vendors," he says. "It's about buyers of software expecting high levels of functionality at the expense of security.."
  • What do you think? Please comment below.Fundamentally, what the Kama Sutra worm and all the other viruses and attacks come down to is the awful state of software quality in general.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    InformationWeek Is Getting an Upgrade!

    Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

    11 Things IT Professionals Wish They Knew Earlier in Their Careers
    Lisa Morgan, Freelance Writer,  4/6/2021
    Time to Shift Your Job Search Out of Neutral
    Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
    Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
    Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
    White Papers
    Register for InformationWeek Newsletters
    Current Issue
    Successful Strategies for Digital Transformation
    Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
    Flash Poll