Software bugs can be serious. They can open up security holes, or they can cause software to crash or slow down, costing thousands in productivity. And according to a survey from bug-finding firm Raygun, there may be more of them around than you might think.
Raygun surveyed 1400 developers last month and found that 93 per cent of them were confident that their software quality was “good” or “great.” Yet industry statistics suggest otherwise.
The 2013 Scan Report from software testing firm Coverity scans open source and proprietary projects for software bugs. It found that the density of software bugs in proprietary code reached .72 defects per thousand lines. These defects were medium- to high-impact bugs.
Some of the most notable bugs in the press recently, such as last year’s Heartbleed and this month’s FREAK, came from OpenSSL – which is an open source encryption system. The source code for open source software is exposed to everyone, which is supposed to make it more secure. The theory goes that many eyes on a piece of code will capture more bugs than if a piece of software is closed, and only open to a few developers for scrutiny.
That theory may be in question, though. According to Coverity, the proprietary bugs surpassed the open source ones for the first time in 2013, at least in C/C++ projects. That isn’t to say that open source software isn’t buggy. It’s just that proprietary code is buggier.
Whether using open source or proprietary software, or a mixture of both, it behooves CIOs to devote resources to software testing, not just after development, but all the way through the process. How?
One way is to get as many experts to look at software as possible, by testing it out and looking for discrepancies in functionality or performance.
Large companies with software as a core competency are serious about this stuff. Facebook paid out $1.2m in bug bounties last year, and Apple is so eager to avoid a repeat of its buggy iOS 8.0.1 launch that it will launch previews of its iOS operating systems in the future, allowing the online community to te3st the software for flaws.
A startup called Synack is even hoping to streamline crowdsourced bug hunting into a service that it can provide for corporate clients. It pays crowdsourced bug finders according to each software flaw that they find. It joins other platforms like HackerOne and Bugcrowd, who perform similar services.
Whether or not companies feel comfortable letting non-employees at their code, embedding security procedures from the start of the development process is a must. This concept, known as the secure development lifecycle, is often a difficult sell for IT departments, because they risk doing something that doesn’t deliver new features, and risks slowing down development.
Building modular software architectures with small code components can help here, as can agile development processes that carve up software development into smaller, manageable chunks to speed up projects.
These approaches, along with judicious use of software testing tools, enables IT departments to work mostly smarter, rather than harder, when it comes to filleting their software and removing bugs. But it may also mean contributing to the testing and debugging of large open source software projects that your company is using in-house.
With the next Internet scale software bug apparently just around the corner, it may just be worth the investment.
