Finding ways to avoid wasteful spending is a constant source of debate in Washington, and, according to U.S. Marine Corps CIO Robert Jack, there’s a way software developers can help: Create software that doesn’t contain as many bugs. Speaking at a recent cybersecurity forum, Jack explained that the software industry’s practice of releasing products as soon as possible and relying on patches later to fix errors is a nightmare for an executive in his position, tasked with managing hundreds of thousands of end users, InformationWeek reported.
“You’re killing me,” Jack said, according to the publication, referring to the software industry as a whole.
He urged the software industry to adopt more rigorous development and testing practices to reduce the burden placed on government organizations and other customers. While it’s unrealistic to expect every piece of software to be flawless, Jack said that too many vendors are making calculated compromises during development so they can release products and updates faster. He suggested that the era of liability lawyers looking to target enterprises with cases related to software errors is not far away, explaining that such litigation is now common among hospital operating liability lawsuits. While vendors may not have much incentive to improve their development practices, Jack said that this is likely the only way to solve the problem.
“I’ve been beating that drum for 15 years,” he said, according to InformationWeek. “I don’t believe legislating software assurance is going to work. I need corporate citizenry to step up to the plate and take responsibility for what they put into their software.”
How poor development drives up end user costs
In Jack’s case, the complexity of the USMC IT environment makes it difficult to simply roll out a software update as soon as it’s announced. He noted that there are 300,000 people he must account for, a third of whom have access to the network on a daily basis via desktop or other end user device. In total, Jack oversees 450 registered systems regressed to 10 significant versions, and each patch must be tested in light of that environment.
“Think about the labor hours where I have to touch [and administer patches on] all those devices,” Jack said, according to InformationWeek. “And that’s just for one patch.”
Not only is it costly and complicated for large agencies and enterprises to keep up to date with patch schedules, hackers tend to be more likely to target them for this specific reason, such as in a recent watering hole attack targeting Department of Energy employees using Internet Explorer 8. Furthermore, many bugs don’t receive patches from the vendor until long after they are discovered, according to a 2012 Symantec study. Between the risk of undiscovered zero day flaws, the threat of exploits targeting unpatched software and the complexity of running patch updates, bugs account for a substantial burden on an organization like USMC. One study from earlier this year estimated the total cost of buggy software worldwide exceeds $300 billion each year.
In January, new provisions in the National Defense Authorization Act included a requirement mandating military software vendors to use automated source code analysis tools during the development process, so the USMC’s predicament may improve as the effects of such procurement practices trickle down. By pushing vendors toward safer development practices, such rules may help reduce the cost of cleaning up half-baked products constantly in need of updates. To win the confidence of leaders like Jack, vendors should look to demonstrate their commitment to building quality products and writing error-free code through the use of tools such as static analysis software and approaches such as peer code review.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.