Open Source is Not Immune to Software Quality Problems

The Heartbleed Bug reinforces the need to monitor the quality of open source software   OpenSSL came under fire this past week through the now infamous Heartbleed bug.   This open source encryption software is used by over 500,000 websites, including Google, Facebook, and Yahoo to protect their customers’ valuable information. While generally a solid program, OpenSSL harbors a security vulnerability that allows hackers to access the memory of data servers and potentially steal a server’s digital keys that are used to encrypt communications, thus gaining access to an organization’s internal documents.   Technically-known as CVE-2014-0160, the Heartbleed bug allows hackers to access up to 64 kilobytes of memory during any one attack and provides the ability for repeat attacks. Faulty code within OpenSSL is responsible for the vulnerability and – as an open source project – it’s hard to pinpoint who is responsible much less scrutinize all the complex code created for the SSL project to find such a minute vulnerability.   While I’m definitely not knocking open-source projects … Continue reading

Software Quality beyond Application Boundaries

  The retail security crisis continues…   A recent Wall Street Journal article exposed potential issues with Bitcoin’s transaction network. This left Tokyo-based Mt. Gox exchange and Gavin Andresen, Chief Scientist at the Bitcoin Foundation, pointing fingers at each other.   So far the retail industry has felt the pain of sophisticated hackers stealing sensitive information:   Target Corp. – The latest news suggests that the breach started with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer Nieman Marcus – 1.1 million debit and credit cards used at its stores may have been compromised Michaels – investigating a possible security breach on its payment card network   According to a Business Insider article, smaller breaches on at least three other well-known U.S. retailers also took place during the U.S. holiday shopping season last year and were conducted using similar techniques as the one on Target. Those breaches have yet to come to light in the mainstream media.   Memory-scraping … Continue reading

Startups Need Software Quality Too

Last week Phil Libin, the CEO of Evernote, wrote an honest blog article titled “On Software Quality and Building a Better Evernote in 2014.” It was in response to an initial blog article by Jason Kinkaid which criticized Evernote for a decline in quality over the last few months. In the response, Lubin accepted the criticism well and publically vowed changes to their software in 2014. Lubin explained how, as a startup, the focus on growing fast had the unfortunate side effect of introducing more bugs and ultimately affecting quality and user experience. He discussed how constant improvement is key, trading the rush of releasing new product versions for more thorough testing, how software quality must be engrained in culture, and that quality improvements need to be shown rather than just discussed.   This story brings to light the importance of software quality, not just with updated tools for testing and measurement but to also empower the culture of an organization to always focus on software quality and customer experience. … Continue reading

Software Robustness and Resiliency in Capital Markets

CISQ hosted its latest Technology Executive Roundtable at the Marriott at Grand Central (NYC). The topic for this installment was “Software Robustness and Resiliency in Capital Markets”, and featured the following speakers: Corey Booth, Partner and Managing Director, Boston Consulting Group; Dr. Bill Curtis, Director, CISQ; JP Chauvet, Chief Architect of Equities, Credit Suisse. Over 25 senior leaders from organizations such as Bridgewater Associates, BNY Mellon, NYSE Euronext, Deutsche Bank, The Depository Trust & Clearing Corporation, and J.P.Morgan were in attendance listening to presentations, engaging in discussions, and networking with peers.   Dr. Curtis started off by discussing the recent changes in the regulatory environment at the Federal level, especially as they relate to software risk prevention. He covered some of the highlights of Regulation SCI, and the feedback provided to the SEC by CISQ. A link to the presentation can be found here.   Mr. Booth then talked about the tradeoffs between risk and development speed, and their implications on software quality frameworks and processes. He discussed the two … Continue reading

Software Startup Quality – High Quality Software Must Be Usable, Reliable, Secure and Available

  Building, maintaining, and enhancing high quality software is not a trivial exercise, yet it is critical to software-based startups. Entering the marketplace with a feature-laden but unstable, insecure, difficult to enhance, and poorly performing product ensures a fast track to startup failure.   Producing high quality software demands the convergence of engaged, quality-focused stakeholders, results-based incentive programs, and a developer culture of quality. It also includes finding the right technology partners, making best use of productivity enhancers like appropriate software development platforms and cloud-based services, and leveraging open standards, and open source assets. Miss any one of these and your software startup may turn out a software turn-off.   Avoid Startup Software Development Risks from Day One   It remains challenging for all organizations to consistently produce high quality software that meets potential customer’s needs, on time, and in budget. For the startup the challenges are greater, and so are the stakes.   Software quality starts with governance, or establishing sound development principles, policies, and decision rights. However, governance … Continue reading

Software Measurement: Its Estimation and Metrics Used

Software measurements and metrics: fundamentals (on the example of eGovernment and eCommerce) With the recent establishment of new regulatory bodies and eGovernment organizations, the growth of software developers and quality assurance professionals has almost doubled in the past 2-3 years. To ensure the sound and more predictable development of high quality systems, it is important for developers to gather and evaluate measurable data that guide estimation, decision-making and assessment. It is common sense that the ability to measure and analyze will lead to improved control and management.   Product metrics are also referred to as software metrics. They are directly associated with the product itself and attempt to measure product quality or characteristics of the product that can be connected with product quality. Process metrics concentrate on the process of software development and measure process structures with the aim of either distinguishing problems or pushing forward effective practices. Resource metrics are associated with the properties that are essential for the development of software systems and their realization.   Measurement is … Continue reading

The Problem of Software Quality Metrics

A fine example of a problem posed by software risk was over a decade ago when the then CIO of the United States Air Force divulged that the US military forces were dependent on hundreds of thousands of copies of a specific piece of software. This piece of software compromised around 65,000,000 lines of code and because it was a trade secret, the Pentagon had not even been allowed to see it. This information was interesting yet terrifying, particularly because the US knew that some of this code had been written by developers in what was considered to be a potentially belligerent nation. However the code, of course, turned out to be Microsoft Windows and the CIO of the US Air Force wasn’t worried about Microsoft or even the potential threat of adversarial software developers. No, his problem, like so many others, arose from his software supply chain.   Supply Chain Risk and Service Chain Risk Whenever a major manufacturer purchases parts from suppliers, there are a number of acceptance … Continue reading