Slashdot Mirror
Programmers Learn to Check Code Earlier for Holes
Carl Bialik from WSJ writes "Many companies are teaching programmers to write safer code and test their security as software is built, not afterward, the Wall Street Journal reports. This stands in contrast to an earlier ethos to rush to beat rivals with new software, and, of course, brings tradeoffs: 'Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.' The WSJ focuses on RIM and Herb Little, its security director, who 'uses Coverity every night to scan the code turned in by engineers. The tool sends Mr. Little an email listing potential red flags. He figures out which problems are real and tracks down each offending programmer, who has to fix the flaw before moving on. Mr. Little has also ramped up security training and requires programmers to double-check each others' code more regularly.'"
Writers are encouraged to proofread.
Static analysis is great stuff. I've worked on an open source Java static analysis tool, PMD, for the past few years and I've gotten lots of feedback from folks who have used it to find all sorts of things in their code. Just a quick scan for unused variables can yield some excellent results, and the copy/paste detector works quite nicely too. And there's a book, too!
Coverity's doing a nice job with their tech marketing, too - l think a couple of open source projects are using the stuff they found to clean things up. At least, there's been a fair amount of traffic on the Ruby core list about some things Coverity's scan found. Good times...
The Army reading list
Time to buy Coverity stock? =)
After missing a few deadlines, the marketing goons will push to abandon security for more crap on the shelves.
After all, that's how the software market works. People buy anything. "LOOK! THE NEW (insert program/OS name here)! I MUST HAVE IT!"
Stable?
Secure?
Mem-leak free?
In one word: FINISHED?
Who cares? It's new, it's shiny, it's been all over all the mags and preview pages, the hype is on, WANNAHAVE!
And as long as we keep buying the unfinished crap, it won't change.
Yes, I'm sure everyone in the tech departments would see this as the right way to go. Test your software, preferably during development, not afterwards. Go through memleak tests, go through stability tests, have some experienced whitehats poke at it, and if it survives, let it go into beta.
If anyone gets that idea past marketing, I will bow down to him.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Alright, so writing better code means you might miss a deadline. But not writing better code means.. things are exactly as they've always been, or the software development cycle will be revamped appropriately?
Not much of a catch 22.
...might just make the software more appealing to customers. Recouping the lost market time with a slightly more solid base, combined with less strain on call centers when bugs do fly up. Catch 22 be damned, I'd rather have working, secure software a month later than a buggy, glaring security risk today.
The new Black!
I usually do some quick general design and planning beforehand, then go in and write the software one element at a time, testing to make certain it works properly before moving on to the next. The benefits seem to far outweight doing it the other way, for me, as it reveals problems I wouldn't have noticed in the planning stages in the design or implementation early, and it also helps isolate where any bugs would be located at, so I'm not checking all over the place.
I'm not sure if it really saves me any time in the long run, but I'm much more comfortable coding this way, which is probably more important.
Also, so far, I've been the only coder for my projects at work and my games at home, so it *might* not be quite as effective for large teams, although what I've read on XP seems to suggest that it can still be very effective.
Creator of the popular web game Proximity
You know where you are? You're in the $PATH, baby. You're gonna get executed!
Jeez, next thing programmers will be expected to document their code.
What will the XP weenies do then?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
It sounds good and all but there's a direct correlation between the deadline and how bullet proof the code is.
insert sig here
Correct-by-construction programming is a fundamental part of a proper education in software engineering, I would have thought.
Where did these people learn to code?
Miri it is whil Linux ilast...
Agreed, periodic checking for holes has it's own value, but nothing beats using the best quality, industrial-strength (tm) bits to start with, moreso while developing reliable software in the post-911 world.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Has Ric Romero seen this report yet?
After taking this training routine, Microsoft says that Vista will be delayed another 2 years.
How do people learn to code like this? Is it just early habits that do not go away?
The example in the write up is not a catch 22. A catch 22 requires two things be done, each one before the other, thus neither can be done.
This would presume that developers know how to TEST software. LARGE presumption on their part... It would be better to have competent TESTERS actually- test the code.
Taking the time during development to test and debug your code. I'm sorry, but this isn't something new, nor somethign to be ignored. People mistakenly think that you throw your code together, and if it works you're done. This is wrong. Any production system code should be tested before being put in. Maybe testing and debugging should be considered overhead in an industry that doesn't have much thereof (consider manufacturing of hardware).
Otherwise we are just fueling the fire of exploitation and bad-user experiences.
--
Goblez
- Kal`Goblez
Is it just me, or does the article just read like a thinly veiled advertisement for Coverity? It's reads like a generic commercial template: "Meet Bob. Bob thought everything was fine. But then he discovered he had Problem X. That's when Bob discovered Company Y with Solution Z." (etc. etc.).
Program Intellivision!
Tools are a cost effective way of checking source for lots of different kinds of problems. I have no direct experience of the Coverity tool, but see that they are certainly good at getting lots of publicity. A List of static analysis tools is available on Wikipedia.
to paraphrase Oscar Wilde: Anyone who doesn't have enough time to do it right, has enough time to do it again.
Apology to Ubuntu forum.
Automated static analysis spurs second wave of XP hysteria. Formal methods found dead from apparent suicide in home.
If being careful makes you miss the deadline, then the deadline is set wrong. Shipping a product with security holes that you knew about + could've fixed with a bit more time is how we got into the position we're in. Pushing back a release date to fix them first should be the rule, not the exception.
stuff |
Especially if you don't know assembler.
.Net is? I know MS boasts that not a single security hole has been spotted so far but I do not know of any apps that use it? I know Java is secure for that reason but less usefull on the desktop.
The problem I see is that hackers today use buffer and stack overflows. The compiler creates the insecure code more than the program.
I wonder how secure managed code in
http://saveie6.com/
Assuming you have a good idea of what input to your program is supposed to be, and you have an adequate method of checking to make sure the data is not some sort of goo (love those regexs!), then you should be able to test the software as you go. I'm of the school that tends to build each part, test it, and move on. It cuts down on the holes if I know where a piece of data comes from, where it's going, and what manipulations may happen to it along the way.
GetOuttaMySpace - The Anti-Social Network
We know how to code securely, at least in the same way that every profession has its skill levels on a bell curve.
What the industry needs, as has been pointed out here, is companies that are
A) willing to give developers the time to design software correctly,
B) willing to give testers the time to test software thoroughly, and
C) willing to delay software that the testers find holes in.
Narrator: A new program written by my company is shipped on time, but with bugs. The network stack locks up. The OS crashes and burns and scrambles the hard drive. Now, should we initiate a code review? Take the number of licenses in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a code review, we don't do one.
Business woman on plane: Are there a lot of these kinds of bugs?
Narrator: You wouldn't believe.
Business woman on plane: Which software company do you work for?
Narrator: A major one.
Weaselmancer
rediculous.
Now advertisements for COTS products are news articles?
While I appreciate the articles on NASA releasing code analysis tools - or pointers to freshmeat - embelishing about something I can't immediately use is boring. Procurement happens at a snails pace for purchased software - gimme something I can throw on the stage and start training dev's to use.
Or at least something in depth that shows statistics on *how much* the schedule slips by when taking this security first approach - that would be news:
"WSJ reports security-first approach to software costs 18% increase in time to deliver"
agreed?
You are checking your backups, aren't you?
I see static analysis and code auditing as an excellent step on the road of security, but at a completely different level you have to also make sure that the processes you're coding are also secure. All the secure programming techniques in the world will not help you if your design itself has flawed assumptions. So not only should you program for security but you should also design for security.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The Internet is full. Go away.
It's when you rush and abandon good practises that the project is in danger of becoming seriously late.
It's something everyone knows, and everyone occasionally forgets.
I've some inside info and let me tell you how it works: write the best code, check for holes, make sure there are no bugs and so on and so on, but if you miss the deadline you're definitely fired.
And since the deadline is always unrealistic, all checks get down in priority as you try to keep your job hammeric code that barely works with the speed of light.
If "many companies" are teaching their programmers to write secure code then "many companies" should recalculate the deadlines and include code-checking in their timepath, instead of complaining about missed deadlines....
i mean either include code-checking and allocate time for it or don't check it and finish earlier... can't have it both ways...
Probably fanning the flames here I'm wondering is there a free (as in beer) alternative to these products?
Code reviews by cow-orkers are nothing new. Ed Yourden and many others were publishing books in the late 80s and early 90s showing that it was a really good way to get code that was nicer and had fewer defects. To say nothing of Brooks's programming unit teams from over 25 years ago.
It's nice that someone is waving the security flag to promote it, but a little sad that everyone wasn't already doing it.
Nihil Illegitemi Carborvndvm
Ahh, deadlines, where would we be without them. Personally, I think that deadlines are the catch 22 of software development. With a strict deadline, you sacrifice quality. However, with a loose deadline, you sacrifice a product to your customer, which then sacrifices money coming into the company, which sacrifices your paycheck and even your job. Deadlines definitely have their place in the world, but I also believe that they should be loose enough to give you time to get a secure, thoroughly tested, and correct version of software out to the customer. Either that or a signed paper that says you're not responsible for anything you code because you were told to get the product out on time. However, that thought is incredibly naive at best.
There is no such thing as software engineering. Software is still in the craftsmanship stages. Come back 100 years from now and maybe it will be approaching the rigor of engineering, as a discipline.
"Big design up front" does not work for software projects. ALL PHASES of software development are *design*. You have to do continuous evolution of the design and the code in tandem. As the C2 wiki would say: Practice ContinuousIntegration. Do ShortIterations to MeasureVelocity (i.e. to get constant feedback about your progress). RefactorMercilessly. CodeUnitTestsFirst. And most important of all: write something OnceAndOnlyOnce, and DoTheSimplestThingThatCouldPossiblyWork. Because YouArentGonnaNeedIt.
This stands in contrast to an earlier ethos to rush to beat rivals with new software, and, of course, brings tradeoffs: 'Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.'
As with everything in a project, adherence to security guidelines must be figured into the time estimates for a project. Time estimates must in turn be based on department-reviewed technical specs. Tech specs are based on design and development reviewed functional specs. Functional specs are based on user and business requirements. If the project manager pushes for concrete time estimates using comprehensive one-to-one project description methodology, deadlines will still get missed, but it won't be because of a single requirement like security. Sometimes this means the project manager has to push back on the developers to say something like, "Are you sure it's only going to take you 80 hours to implement centralized licensing?" But that's what the project manager is supposed to do.
Business sometimes requires that releases occur on a schedule. Ok, fine, but that means scaling back the features included, not the quality of the product, and in today's market, security is one of the variables in determining quality.
*** *** You're just jealous 'cause the voices talk to me... ***
More savvy programmers have started referring to crashes as 'security-necessitated shutdowns'.
This task should be included in the schedule. If the deadline is missed because of this task then it is due to bad estimation, just like all the other tasks.
The problem is one of doing things in software the way Automobile companies did in the 60's and Japan stopped doing in the 70's. Traditionally in software development you design... then send to engineering to build then send to QA for an endless cycle of test bitch fix bitch retest bitch fix bitch test bitch deadline ooops market. QA should be involved the moment some fool says "I have an idea" and stay in the loop all the way. Testing in increments as things are built. I've done more in a white paper on my site as for writing this all up but this is the jist. Integration of Quality control from the start means less problems. The idea of. I'll fix it later sucks because it never gets to be later.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Everybody makes mistakes. That is how we learn and progress to a more experienced state of being.
By telling people not to make mistakes is letting them know that they cannot try out new and inventive, sometimes even shorter ways of doing things.
Unit testing is fine and should be encouraged, but really the thing you want to do here is make your build process do all the donkey work as much as possible, and let your programmers worry about the programming issues and doing things smarter and achieve the most with the least possible effort.
The build process can do the following, if you do it right:
-> Build the code to executable format and even CD ISO distributables (duh)
-> Do code indenting and formatting etc. to conform to a standard.
-> Do unit testing on code segments, and even tell you what % parts were not tested.
-> Scan the code for bad practices such as strcpy and unmatched mallocs.
-> Gather all your TODO's and your FIXME's into an output file.
-> Run the program live and do input fuzzing testing, with extended debugging logs.
-> Run nessus and other attack scripting languages to take care of the obvious issues.
With all these measures in place, it is a simple matter of having *somebody* go through the build logs and make a priority / TODO list, fixing security first and stability later, and the small imperfections last.
But alas. Nobody looks at the logs. Logs are boring. Thats why you have to keep them visible. Maybe via RSS, IM or email?
"If being careful makes you miss the deadline, then the deadline is set wrong."
The guys at 3D Realms agree with you.
The concept of automating code scans to check for "errors" is essentially delusional. You cannot create a catalog of 4,000 known bugs (or some huge number) in software you intend to ship, not when you save money on coding costs by kicking the original bums who understand the code upstairs (or curbside) and then hire RCG's to maintain, or worse, improve, the crap they'll never own. I have never, ever, fixed a bug that wasn't coated with a diamantine millimeter of solid acrimony - but no lintpicking automaton found those errors, either. There was always a human dimension. My favorite was a screaming hysteric who threw a stack of printouts six inches thick at me, all documenting the exact same one-word typo. You want to run a company like coding is the bottom rung of your personal Jacob's Ladder, be my eternal guest.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
But to stay with the topic, analysis tools are just that: tools. They are not a cure to chronic software problems. Developers are not excused from the responsibility of at least attempting to write quality code.
Some current project development methods really contribute to buggy and insecure code. Example: XP. I really think that some aspects of XP programming are a bad idea. Namely, the "code as fast as you can" aspect of it is fraught with errors. A more thoughtful, disciplined approach might seem like it is terribly slow. Yet being inherently less buggy, it can reach the target faster than the sloppier, more haphazard approach. This is much like the Tortoise and the Hare. Or maybe a better analogy would be like a rally driver who is more careful with his fuel and tires.
Don't get me wrong. Some parts of XP are fine. The Buddy System is an excellent way to get things done quickly by short-circuiting the collaboration cycle.
Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.
Those "deadlines" that you speak of:
Are they dictated by the customer? Generally not; there are exceptions, but most customers look to you for an answer of how long it might take.
Are they dictated by the market? Probably not; for one quick example just look at Microsoft and their slipped schedules on OS, 5 years without an update to the browser, etc, etc, all without significant impact on the their software usage.
No, having worked in this field for quite a few years and seen what goes on, these deadlines are imposed by marketdroids and clueless managers who don't know that a deadline is necessary, cannot predict or even measure after the fact any impact of deadlines on sales and they certainly don't appreciate what harm they do to products by imposing arbitrary deadlines.
So this catch-22: it involves creating a better (i.e. more secure in this case) product at the expense of missing arbitrary deadlines that probably didn't have much to do with success of the product in the first place. Does someone need to have catch-22 explained to them?
...and a required minimum warranty on software would help to"nudge" this along. Software is a mature industry now, does no longer need training wheels, nor any exception to the warranties all other products require to be sold, leased, or etc. Leaving it voluntary has resulted in decades of code bloat, insecure code, buggy code and perpetual betaware, and an ingrained mindset that this article is talking about, both with the grunts and with the marketers and owners. Every single one of these bigass for profit software companies calls their stuff a "product", so, let us as a society treat it as a legal product, SAME as every other industry.
Less releases, leading to much better quality? That's the entire idea behind warranties. And lemon laws exist when warranties aren't enough. Stocks, billion dollar businesses, huge salaries, patents, etc all say "warranty needed" to the 99.99% of the people out there who aren't coders, the "consumers", the folks who provide the cash for these products.
Free software, given away gratis, I don't care, label it betaware, use the users as testers. For "license" for cash folding money software? Needs a warranty and lemon laws.
Yeah, 'cause a link titled "RIM Holes" that leads to a site called "sexymisslizzie.com" couldn't POSSIBLY be a pr0n site.
It is very nice that this bozo has a (very expensive I read) little program that tries to detect problems when they have already happened. So along comes mr friendly one day (or more?) after the fact to dicipline the programmer? That does not sound like a very positive approach to me.
If you want to learn someby something (I hope mr belittle does) it works much better if you have a quick feedback loop, react immediately when something is going wrong, not one weekend later when the programmer has all but forgotten why he did it that way. I agree you cannot use a mr little for such feedback, but unittests and other tests that have to run before the developer can turn in his work can be run automagically. Test are not partial, do not have favorites, and are easy to understand by a programmer. Mr little is probably the opposite. You will either need a pairprogramming or review process to prevent programmers from just disabling the test that fail, but with such a process you will have good software and happy programmers. Mr Little does not make programmers happy.
Have a look at aegis, a Configuration management system that can enforce such a process and do a lot of other commonsense things. The 'problem' with aegis is that it does not have a pretty pictures interface, so it's advantages are hard to explain to pointy haired bosses.
This space is intentionally staring blankly at you
I am in the process of evalutating Fortify and it seems like a really good product as well, with security at the heart of the evaluation rather than just mere bug finding.
Have not looked at Klocwork yet but it seems similar.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Good. Fast. Cheap. Pick any two. You can define the scope, the deadline, or the budget. Pick one. Not two. Not three. One.
I've purchased copies of some Linux distributions (most recent, SUSE 10.0).
A Catch 22 requires two mutually exclusive things to be at the same time.
It comes from the book of the same name wherein the only way to get the army to take you out of the war, you had to be proven crazy, but desiring to get out proved you weren't crazy, so there was no (legal) way out (without getting injured or killed in the line of duty).
--
``...like an alpaca sack full of hairy strawberry ice cream, bleeding, pink toes awry...''
You should really read Unit Testing in Java: How the Tests Drive the Code. XP is about small, direct steps, and when these are done with tests first, they greatly improve the quality of the code. You can draw all the big, fancy, pie-in-the-sky diagrams you want, and still get sloppy code.
Lies about crimes
I have been think if it isn't posible
to make a valgrind tool which scans for secuity issus ?
http://valgrind.org/info/tools.html
being more careful can mean missing deadlines
Failing to plan extra time to be more careful (ie. check for bugs) means missing deadlines. Only an incompetent manger, or a dishonest conman setting the team up to fail is going to insist on extra care in coding and/or code review and not put the extra time required on the plan. There's definitely a time vs quality tradeoff but it has nothing to do with missing deadlines since they should be set correctly.
These posts express my own personal views, not those of my employer
It's sad times indeed when you have to explain to a programmer to test his code. It sounds to me like the easy-buttons are catching up with laziness and breeding stupidity.
Join the Slashcott! Feb 10 thru Feb 17!
fortunately for us, you don't make the laws
Unfortunately for you, neither do you. See UMG v. MP3.com . But on the other hand if you build a ROM dumper and copy the data from the cartridge to your hard drive, you're in the right under 17 USC 117 and foreign counterparts.
Comment removed based on user account deletion
I know Java is secure for that reason but less usefull on the desktop.
What specifically makes the Java platform less useful on the desktop? Are there big problems with a widely deployed application for the Java platform called Azureus, other than perhaps memory use?
You can use the techniques of formal verification to prove that software is correct. http://en.wikipedia.org/wiki/Formal_verification
In Soviet Russia the insensitive clod is YOU!
In their infinite wisdom management has decided that, since programmers now know how to program safelly, programmers will have the responsability of avoiding security bugs while still having to deliver the application withing the same deadline.
I agree with you, but I've got a few more reasons why it's better to get other people in.
;)
Reviewing your own work is very important, but the problem is justifying how long you 'hold off the submission' while you review your own work. How long do you review it for? This is the typical problem engineers feel that they have with management pushing them for rapid development.
If you add the step of getting others to review your work to the submission process then you can justify it in the following ways:
1. You can be reviewing other work or working on something else. This gives you a break from the code you've just written so you can see it with fresher eyes when you get to make the submission.
2. Other team members have a better view of what's happening within the code. This has the advantage that you can justify it to management as being able to cover for sickness, holiday, etc.
3. As you're working in a team, you'll probably be using each others code, so they'll be in a good position to suggest better ways of achieving things when using it.
4. You make the code easier to read, as others have to read it for the review. This helps everyone as someone will always have to come back to look at the code in the future. It might be next week, next month, next year or longer. If it's over a year, it might as well have been written by someone else.
This hits debugging also:
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." -Brian Kernigan
5. Once it's submitted you won't get a chance to review it or clean it up. Justifying a rewrite is a very hard thing to do.
Automated methods of finding problems are valuable, but they should be seen as suplemental to the 'mark 1 eyeball' and not a replacement for them, and they can only do so much. For instance spell checker checks your spelling, a grammar checker will check your grammar, but neither will check if what you wrote makes sense.
Hopefully this helps
(no I've not reviewed this comment, so hopefully it makes some sense
I recall (but can't find a reference to) an IBM study on code reviews back in the 80's - the biggest bang for the buck was the second set of eyes - that was where you maximized bugs found per reviewer. Does this ring a bell with anyone?
Steve Cline http://www.clines.org, http://www.objectbap.com
I wish Java did have more prorpietary hooks for [COM and the like].
It is possible to wrap a JavaBeans component in an ActiveX control, and Jcom goes the other way.
They counted bugs per line instead of bugs per function. So for 2 modules that did the same function and and had the same number of bugs, the one with more bloat was counted as less buggy.
Not that there is necessarily anything wrong with Coverity tools -- I haven't used them. But their press releases have logic errors.
Today's press release says programmers are being managed to work better because they bought Coverity tools. Maybe, maybe not.
I18N == Intergalacticization