Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Than Coding Errors Behind Bad Software

Posted by ScuttleMonkey on from the bad-decisions-go-all-the-way-up dept.

An anonymous reader writes "SANS' just-released list of the Top 15 most dangerous programming errors obscures the real problem with software development today, argues InfoWeek's Alex Wolfe. In More Than Coding Mistakes At Fault In Bad Software, he lays the blame on PC developers (read: Microsoft) who kicked the time-honored waterfall model to the curb and replaced it not with object-oriented or agile development but with a 'modus operandi of cramming in as many features as possible, and then fixing problems in beta.' He argues that youthful programmers don't know about error-catching and lack a sense of history, suggesting they read Fred Brooks' 'The Mythical Man-Month,' and Gerald Weinberg's 'The Psychology of Computer Programming.'"

22 of 726 comments (clear)

  1. Perfection Has a Price by alain94040 · · Score: 5, Insightful

    The most common errors: SQL injection, command injection, cleartext transmission of Sensitive Information, etc.

    People make mistakes. Software needs to ship, preferably yesterday.

    How much would it cost to have perfect software? I happen to have worked in an industry that requires perfect coding. So I can imagine what it would look like if Microsoft tried it.

    The debugger would cost half a million dollar per seat (gdb is free). There would be an entire industry dedicated to analyzing your source code and doing all kinds of proofs, coverage, what-if analysis and other stuff that require Ph.Ds to understand the results.

    The industry I'm referring to is the chip industry. Hardware designers code pretty much like software developers (except the languages they use are massively parallel, but apart from that, they use the same basic constructs). Hardware companies can't afford a single mistake because once the chip goes to fab, that's it. No patches like software, no version 1.0.1.

    It's just not practical. Let the NSA order special versions of Office that cost 10 times the price and ship three years after the consumer version.

    But for me, "good enough" is indeed good enough.

    --
    FairSoftware.net -- work where geeks are their own boss

    1. Re:Perfection Has a Price by Opportunist · · Score: 5, Insightful

      The problem is that software doesn't even ship as "good enough" anymore. It's more like "it compiles, ship it".

      Your example of hardware, and how it's impossible to patch it, was true to a point for software, too, in the past. Before it became easy to distribute software patches via the internet, companies actually invested a lot more time into testing. Why? Because yes, you could technically patch software, but it was tied to sometimes horrible costs to do just that.

      You can actually see a similar trend with the parts of hardware (i.e. BIOSes) that are patchable. Have you ever seen hardware shipped with all BIOS options fully enabled and working? I haven't in the past 2-3 years. More often than not you get a "new" board or controller with the predecessor's BIOS flashed in, and the promise for an update "really soon now".

      The easier it is to patch something, the sloppier the original implementation is. You'd see exactly the same with hardware if it wasn't so terribly hard (read: impossible) to rewire that damn printed circuit. I dread the day when they find some way to actually do it. Then the same will apply to hardware that you have today with some OSs: It's not done until it reads "SP1" on the cover.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Perfection Has a Price by bb5ch39t · · Score: 5, Interesting

      I'm an old timer, still working on IBM zSeries mainframes, mainly. We just got a new system, which runs on a combination of Linux and Windows servers, to replace an application which used to run on the mainframe. Nobody likes it. We are apparently a beta test site (though we were told it was production ready). It has a web administration interface. For some reason, on some users, the only PC which can update those users is my Linux PC running Firefox. Nobody can say why. Until early last week, it would take a person a full 5 minutes to login to the product. They made some change to the software and now it takes about 10 seconds. this is production quality? No, I won't say the product. Sorry. Against policy.

    3. Re:Perfection Has a Price by networkBoy · · Score: 5, Informative

      they cost a shit ton of money is what happened.

      A project I was on in 2000ish went as follows:
      Steppings A0, A1, A2, and A3 were halted in-fab because someone found a critical bug in simulations.
      A4-A7 did not work.
      B0-B4 did not work B6 did not work
      C0-C4 did not work
      B5, B7, C5 sorta worked.
      The company folded.
      That's what a software mentality working on hardware will get you.

      Steppings in CPUs are a little different. Often an earlier stepping was functional enough to start the design cycle for Dell HP, et.al. but not ideal. The later steppings start by fixing the deficiencies, then beyond that are likely cost cutting.
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    4. Re:Perfection Has a Price by Anonymous Coward · · Score: 5, Funny

      I am 40 years old and have been in this world since I was around 10 or so

      You're 30 dude. Deal with it.

    5. Re:Perfection Has a Price by jellomizer · · Score: 5, Informative

      I'm old enough to remember when it wasn't like that. You'd run your program and it was ready in a second, you'd exit and it left no trace. Crashes were virtually unheard of. We have people where I work who only do data entry, and they still use wordperfect 4.2 on 386 hardware. I've seen their workflow and how fast it works for them and I can see if they "modernized" it would cripple their productivity.

      You remember wrong.
      The old stuff was always failing and had a bunch of problems...
      You are probably thinking about your old DOS PC. If the floppy disk wasn't corrupted thinks in general worked and it worked well. Why because the programmer could fairly easily test all the cases, and allow security bugs, as a buffer overflow can be prevented as it would take to long for the guy to physically type in the data... And it was one application with essentially the full PC at its whim.
      If you tried to do computing with Multi-tasking such as apps like Desqview your stability was greatly reduced. It would make you want to wish for Windows 95. Or remember Windows 3.1 stabilty...

      Downloading data via the Modem was a hit or miss activity. I remember getting disconnected trying to download Slackware as there was a combination for the zmodem that passed the hangup code to the modem, forcing me to regzip the file over again to get it.

      Just because you were doing simple things back then it wasn't because they were better.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. a book never written by jollyreaper · · Score: 5, Funny

    Fred Brooks's 'The Mythical Man-Month',

    I read that as "the Mythical Man-Moth." I bet that would be a great book.

    --
    Kwisatz Haderach
    Sell the spice to CHOAM
    This Mahdi took Shaddam's Throne
  3. When I was breaking in by PingXao · · Score: 5, Insightful

    In the early '80s there were no "older" programmers unless you were talking mainframe data processing. On microprocessor CPU systems the average age was low, as I recall. Back then we didn't blame poor software on "youthful programmers". We blamed it on idiots who didn't know what they were doing. I think it's safe to say that much hasn't changed.

    1. Re:When I was breaking in by Skapare · · Score: 5, Insightful

      This is true with any group. There are geniuses and idiots in all groups. The problems exist because once the supply of geniuses have been exhausted, businesses tap into the idiots. And this is made worse when employers want to limit pay across the board based on what the idiots were accepting. Now they are going overseas to tap into cheaper geniuses, which are now running out, and in the mean time, lots of local geniuses have moved on to some other career path because they didn't want to live at the economic level of an idiot.

      --
      now we need to go OSS in diesel cars
    2. Re:When I was breaking in by 77Punker · · Score: 5, Interesting

      After working 3 months at my first programming job, the other two developers quit which left just me. I felt inadequate until I started interviewing other programmers to fill in the gap. Apparently lead developers with 10 years of experience can't solve the simplest programming problems, explain how databases work, or explain OOP. I'm convinced that most software sucks because most people writing it have no idea what they're doing and shouldn't be allowed to touch a computer. I'm currently in my 5th month at the same job and we've got someone good who will start soon, but it took a long time to find even one competent developer.

    3. Re:When I was breaking in by Opportunist · · Score: 5, Interesting

      Quite dead on. But the difference is that today, with all the RAD tools around, you have a fair lot of "programmers" who don't even know what they're doing and get away with it. They got some course, maybe at their school (and that's already the better ones of the lot), maybe as some sort of an attempt to get them back onto a job from their unemployment services, and of course tha intarwebz is where da money is, so everyone and their dog learned how to write a few lines in VB (or C#, the difference for this kind of code molesters is insignificant) and now they're let loose on the market.

      Then you get hired by some company that signed up those "impressively cheap programmers, see, programmers needn't be horribly expensive" when the project goes south because deadlines lead to dead ends but no product, and you're greeted with code that makes you just yell out WTF? You got conditional branches that do exactly the same in every branch. You get loops that do nothing for 90% of the loop time and when asked you just get a blank stare and a "well, how do you think we could count from 80 to 90 besides counting from 0 to 90 and 'continue;' for 0-70?", because that's how they learned it and they never for a nanosecond pondered just WHAT those numbers in the 'for' block meant. And so on.

      Granted, those are the extreme examples of people who learned programming like a poem. By heart. They have a hammer as a tool, so every problem has to be turned into a nail. But you'd be amazed at the blank stares and "what do I need that for?" when you ask some of those "programmers" about hash tables (include snide joke about Lady Mary Jane here...) or Big-O notation. And we're talking people who are supposedly able to write a database application here.

      This is the problem here. It's not youthful programmers. It's simply people who know a minimum about programming and managed to trick some HR goon into believing they could actually do it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:When I was breaking in by fishbowl · · Score: 5, Funny

      >There are geniuses and idiots in all groups.

      Most of both groups are within two standard deviations of a norm. Your idiots are probably smarter than you think and your geniuses are probably not as smart as you'd like to believe.

      --
      -fb Everything not expressly forbidden is now mandatory.
    5. Re:When I was breaking in by Surt · · Score: 5, Insightful

      Do you care whether they write a loop or return (n*n+1)/2? (where n=100 in this case?)

      (curious whether you are looking for the person who knows the clever solution, or the guy who can write a basic loop).

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
  4. Re:Waterfall by Timothy+Brownawell · · Score: 5, Insightful

    The waterfall method is still the best development model. [...] Unfortunately waterfall doesn't fit into the real world

    WTF? Not working in the real world makes it a crap model.

    When you boil all the trendy stuff out of Agile, you're basically left with a generic iterated waterfall, which is[...]

    ...not a waterfall.

  5. Users are to blame by Chris_Jefferson · · Score: 5, Insightful
    The sad truth is, given the choice between a well-written, stable and fast application with a tiny set of features and a giant slow buggy program with every feature under the sun, too many users choose the second.

    If people refused to use and pay for buggy applications, they would either get fixed or die off.

    --
    Combination - fun iPhone puzzling
  6. cheap shot by Anonymous Coward · · Score: 5, Informative

    I work at Microsoft. We use agile development and almost everybody I know here has read the Mythical Man Month. Get your facts straight before taking cheap shots in story submissions. Thanks.

  7. Microsoft? by dedazo · · Score: 5, Informative

    Most of the teams I've had contact with inside the tools group at MS (in the last four years or so) use SCRUM.

    I don't know how widespread that is in other divisions (say the MSN/Live folks or the Microsoft.com teams) but that clever comment in the submission is nothing more than an ignorant cheap shot.

    Don't be so twitterish and make up crap about Microsoft. Get your facts straight or you just come across as an idiot.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  8. Typical: blame the process by SparkleMotion88 · · Score: 5, Interesting
    It is very common for people to blame all of the problems of software engineering on some particular methodology. We've been shifting blame from one method to another for decades, and the result is that we just get new processes that aren't necessarily better than the old ones.

    The fact is that software development is very difficult. I think there are several reasons why it is more difficult to develop robust software now than it was 20 years ago. Some of these reasons are:
    • The customer expects more from software: more features, flashier interfaces, bigger datasets -- all of these things make the software much more complicated. The mainframe systems of a few decades ago can't even compare to the level of complexity of today's systems (ok, maybe OS/360).
    • There is just more software out there. So any new software that we create is not only supposed to do its job, but also interconnect with various other systems, using the standards and interfaces of various governing bodies. This effect has been growing unchecked for years, but we are starting to counter it with things like SOA, etc.
    • The software engineering talent has been diluted. There, I said it. The programmers of 20-30 years ago were, on average, better than the programmers of today. The reason is we have more need for software developers, so more mediocre developers slip in there. Aggravating this issue is the fact that the skilled folks, those who develop successful architectures and programming languages, don't tend to consider the ability level of the people who will be working with the systems they develop. This leads to chronic "cargo cult programming" (i.e. code, test, repeat) in many organizations.
    • Software has become a part of business in nearly every industry. This means that people who make high-level decisions about software don't necessarily know anything about software. In the old days, only nerds at IBM, Cray, EDS, etc got involved with software development. These days, the VP of technology at Kleenex (who has an MBA) will decide how the new inventory tracking software will be built.

    I'm sure there are more causes and other folks will chime in.

  9. It's economics, too... by gillbates · · Score: 5, Insightful

    As long as:

    • Consumers buy software based on flashy graphics and bullet lists of features, without regard for quality...
    • Companies insist on paying the lowest wages possible to programmers...
    • Programmers are rewarded for shipping code, rather than its quality...

    You will have buggy, insecure software.

    Fast. Cheap. Good. Pick any two.

    The market has spoken, and said that they would rather have the familiar and flashy than secure and stable. Microsoft fills this niche. There are other niches, such as the Stable and Secure Computer market, and they're owned by the mainframe and UNIX vendors. But these aren't as visible as the PC market, because they need not advertise as much; their reputation precedes them. But they are just as important, if not moreso, than the consumer market.

    --
    The society for a thought-free internet welcomes you.
  10. Re:Waterfall by radish · · Score: 5, Insightful

    The waterfall is broken, seriously. I'm paraphrasing from an excellent talk I attended a while back, but here goes.

    For a typical waterfall you're doing roughly these steps: Requirements Analysis, Design, Implementation, Testing, Maintenance. So let's start at the beginning...requirements. So off you go notebook in hand to get some requirements. When are you done? How do you know you got them all? Hint: you will never have them all, and they will keep changing. But you have to stop at some point so you can move onto design, so when do we stop? Typically it's when we get to the end of the week/month/year allocated on the project plan. Awesome. Maybe we've got 50% of the reqs done, maybe not. It'll be a long time until we find out for sure...

    Next up - Design! Woot, this bit is fun. So we crank up Rose or whatever and get to work. But when do we stop? Well again, that's tough. Because I don't know about you but I can design forever, getting better and better, more and more modular, more and more generic, until the whole thing has flipped itself inside out. So we stop when it's "good enough" - according to who? Or more likely, it's now 1 week to delivery and no-one's written any code yet so we better stop designing!

    Implementation time. Well at least this time we know when we're done! We're up against it time wise though, because we did such a good job on Reqs & Design. Let's pull some all nighters and get stuff churned out pronto, who cares how good it is, no time for that now. That lovely, expensive design gets pushed aside.

    No time to test...gotta hit the release date.

    Sure this isn't the waterfall model as published in the text books, but it's how it works (fails) in real life. And the text books specifically don't say how to fix the problems inherent in the first two stages. What to do instead? Small, incremental feature based development. Gather requirements, assign costs to them, ask the sponsors to pick a few, implement & test the chosen features, repeat until out of time or money.

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

  11. Re:Its all true by Cornflake917 · · Score: 5, Insightful

    I think refusing to hire someone solely because of their age is naive. Is there some magical event at the age of 30 that bestows knowledge of linkers to the aging programmer? Give me a break. You are making bad assumptions. Your first bad assumption is that just because of your anecdotal experience dealing with one individual, that all schools no longer teach anything about linkers. Your second bad assumption is that even if that was true, no programmer would learn that information on their own, as if no one is generally interested in learning comp sci any more outside of the classroom.

    --
    Abaddon: An Xbox 360 Indie game
  12. Re:Question by DoofusOfDeath · · Score: 5, Informative

    Sorry to be harsh, but get with the times. Computing these days is vastly more complex then back in the "good old days".

    You. are. fucking. kidding. me., right?

    The sources of complexity have changed, but not significantly increased.

    When's the last time your code had to:

    • Employ overlays to make your code fit into memory?
    • Write a large, complex algorithm in assembly, or even (in the 50's) straight machine language?
    • Consider writing self-modifying code, just to make the program require less memory?
    • Make "clever" use of obscure, corner-case behavior of certain machine instructions, not because you like to screw the people who will inherit the code, but because you have only a time amount memory to work with?
    • Intentionally mis-DIMENSION an array in fortran 77 code, knowing that it will work out okay at runtime, just to avoid (by necessity) the runtime cost of using array-slicing functions?