Application Development - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Application Development


Say No to Bad Code



 By: Jim Rapoza
2005-01-10
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Application Development story.


Rate This Article:
Poor Best
Opinion: Clean software at the start will save time and money—not to mention customers—down the road.

"So, Charles, tell me: How are your computer systems running?"

"Quite excellently, James, quite excellently. For months now, Ive seen neither hide nor hair of a security problem or vulnerability in any of my software applications."

"Thats splendid, Charles, just splendid. Of course, things have been grand for all of us since users and companies put their foot down and forced software developers to start producing clean, concise, secure code."

"Ah, yes, James. Remember those silly old days when we were constantly patching systems and scanning the news for problems poised to affect our applications? I shudder to think of all the money I invested in patch management systems."

"Well, things are much better now, Charles. But enough of this computer talk, Babbage, I do believe its cocktail time. And, I say, look whos here to join us. Its Alexander Hamilton, Daffy Duck and the young Elizabeth Taylor."

What? Who? Ahem, sorry about that—must have nodded off.

Resource Library:

And, boy, was that a crazy dream. Like anyone would believe that software developers would ever put a premium on outputting secure code.

I mean, why should they? Year after year, month after month and week after week, things just continue to get worse. And, incredibly, IT managers and executives seem to care less and less.

In mid-December, I received my regular mailing of alerts from The SANS Institute. The alert indicated that the week of Dec. 13 was the worst for new vulnerabilities since SANS had begun tracking them. One would think that this would be big news, but it wasnt.

But why should we expect it to be? Face it: The bad coders are winning. Theyve convinced users and companies that bugs, security holes and patches are inevitable, and everyone just shrugs their shoulders and accepts that—no matter how bad things get.

Click here to read about new high-risk vulnerabilities in Microsofts Internet Explorer and the open-source Mozilla browsers.

But it doesnt have to be this way. All of us have seen even large, complex applications with source code thats clean, free from bugs and secure. All it takes to write good code is the desire to do so, but there really isnt any incentive for software companies to write clean, secure code.

Youll never get the marketing people and executives to admit it, but get some of the developers at these companies to sit down for a drink, and theyll tell you that hitting deadlines, outputting lines of code and adding features are all ranked by their powers that be well ahead of writing good code.

And bad code, bugs and security holes will continue to increase unless customers of these applications force the vendors to change. And the most effective way to do it is to hit them where it hurts—in their pocketbooks.

Its funny. Many companies insist on uptime requirements and support levels, but these requirements mean very little to the bottom line if they arent met by the vendor. But bugs and security holes are guaranteed to cost your company big money—not just in downtime but in IT worker hours and additional software costs, such as patch management systems.

What companies need to do is start putting code-quality requirements into their software contracts. Set a base line for acceptable bugs and vulnerability events in the software. (I would go with one per quarter, but your needs may be less strict than mine.) If the software exceeds these thresholds, the vendor would have to start forking over cash.

Of course, vendors will complain that software is new and different and shouldnt be held to these kinds of requirements. All technologies are new and different at first, but they have to mature some time. At some point, cars were made so that they stopped breaking down every 50 miles, and electrical systems were designed so that they didnt regularly cause house fires. Software has had plenty of time to mature likewise, and the expectation for quality is overdue.

Some may say that Im dreaming and that software vendors will never be able to cut down on bugs and security holes. But Ive seen good, clean code, and I know its possible for any application.

And, if the Red Sox can win the World Series, then anything is possible.

Wait a second, that did happen, didnt it?

Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.

Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.



  Reader Comments: Say No to Bad Code
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Application Development Articles          >>> More By Jim Rapoza
 


x}r8s;iW1ŋvI-5m[KU-EB!)Խ~fMZll L$w~ IM˙Kל۔\sPç}$] 2i*_ d&@ jہ)}mk4 uBZ;[{#|6S9߽w A:|@DZ)&ӰY |/[3}BF\3b^Q$Ё_M¦͂%CxDRzGEQ}&k[tN(T|0tg"qa_R؀IYTb{Aq<5;^;F~Bz.Yu^V␌l׸ڮEX'/[vx)B,!bB]߂GCI%۝߼I@ؓth mur'bx#Qހ]õ]&Z.R͌eCwtPOMҷBCLH6}~8MZQM9$7 V\jyaOl+qtRe[7'0ml_k| tns<$s~3 CoZe؄j% =y7`JaC9LjZ L}:n/EӝÊfؖqWth(ݑV* (GZPʍ#gQ`9ؖ3lRzEÝ|g4;ڿP)J=.GA GnGp[I^׵ր}\\G[r ] + o%& ZDTQRh& Rc@G'$/@BK>o VQWB-r)ڑVR\GFZV@`F%pbQUrNgSKjй;d99?vΐ|bPk5Mz"1h gxo4X/:nNo/9nW>9ݐIɝF4Aqgs jʿy['^<$~<=`kh`cR^iHjg$N{'O2 )H|[:)2u'PZ,w fR'FT,>Jaf k$LJF m":u v5Po4C+D_HP'X][ P3Z$ߚ23}X MH5Ŧ]`)edFS4/\PP샖_΢[1jNTwEQc'ax<g6`Ϩ>0}FMk>ktIF$>2胎:m85ֹ" 47P}Hw@zqI$w8|}Zss{QKU4КkD#m *>ql8d()s>yp;XL-0(-I#=͋ư6 2+?>fCnH }PȀV|`{ >[39nȲAc@|j Jg:0$w2Z}#%>] cRRR$S_MPԤv9DBB !B60 HV(FDBjւ+NDk@G҅;qjRF=7Y +>*-qR% 53RYNf=?n3!U~G ,_E`z9r,T.i 6JԭyrY9ҴFhښ-Â-Gn]]ym6l`aT$%LEw\,O VXwp?7߄xEw{Jh`|XͰ b՜Ee5>dM)n,6S˘ \ W?f,qٛuV<ۢfa) lq;rׁfؓo\ȣ =p ؇&|UzI۶h \CmEc7˅L< +׬uPLg<)*h3yz2ĂM )ҧh ;BSj 3-  o_׆eK,|1tjbY9\l g}aOjK Wk^%%@Pб"AaK鬡aKUѫSOm{hCyh\,*':AÖ'"!1|ڧ>s3R*r7+ )T;Ofz^*k 6DZUUR;*Z 7;Aq{ q@|}1Moř1ftIi -wA!l^Z_09h>>> '22@3&z#Cj9aju2<~*36J%FhRBAeXL˧Fx`գ)u7qaz9N8 kqF=cvq:N (k X85 '& R9AG lɂtx!MUlpwY0XAC5"耰 +E6(=S!vV;+jS~i3H%kSs?@ŵQ6gicMMafFž,nJQ/=6yA؛qV܇v1"xኣ5TS;N7O VJ)6YS!bW hęf~o˪ɪgayϤ#|=]|bsHpDLk PRsQl7Xv@l̬[} u2m84~E50>Oi_LFb*T~\3 gg]c+w>e>c'_;zRc'o!:"t'n="w~{`ouɛ(.xg@5sgDcK:jC-'E&GtEk4FUk5W}zGdCzez%~ ~{qw;I L#e{\T*JZճ(*I$ {2t9t=d}kO?tyOUUASG;:9&_@ڨO( ] ?8ỸĤX2N*,E%R(NYc hٌjj_řZ{RWGF) "U!7T>x_7)~(\{C>m uAB>TQ]~UmRV%%~!WӒFiyB[֒-3q܇6J8-ܟ`"@N|G!ZOݼT%XR2i$y%%h[g o@PXC=B3t-nik.W26v ۽%jH@MY3CnƝj*Z%T/IjYxf:PȄOG[xupM\&$;s?sg`4=n=SGRiemRߓJ\Z cĽ)$jZ9 OdY.eժR+5jWʠˤ Z8`&,~;AtgC {D;80^xҸWZ`>*uN;8$#_>\JMF&fB,&8oHvI3^y{{>=^nx6(s6<8.odhT7.IwïUGJ:7];Oz<W, Y#tB\t7 ǧͦ vpRb^qH/=‴ )wsڹĂKӜ4"z?N3"nX qq);coM19¾UXHe`&|C,($T;0r$`$؏*Xu2ۿhdge؋^{ " m! D785S*PW22EHiA%N;'6' 69xDwDnr~#<B<Mp<& ]lX{p[JqGһ8 $GeS`ۇ.:s;di!Q9o <%(E٦z;7@dj&ubJT=‹z=O[?{0 clQ(S>x$zfennKlx8c%RȔ&=C8z>SB&Դ ۓ4-i^eqj ieʒ~i/i' ۡ ۓ_G8+ (OMkzwisy^]ҽ|sX<VpHC2à{ҾAB|Hy0#*vZZFZvl*?vƇ!hqbwyAH0GW吜F\C=r65_f}z@Q7-gF?KȸGu*b9l_Aݾ0nae1쭿r0nwft-z{Oj\.3}A&ZnL xV=' 49 1;6q=IА[=ty9!-[_ܓ9̆{_J'oc Ǿv/ۻw}Z:w[q*ApKG<,,G&c:I"IQU֫EdU)IW}Y)WC]LFxLt.AoFǥ4LZ2g;;;G׍;qGe#f0XoWƹE!0u?h3n8~BSgK%r_6jD Nt5U{IN5psז90ɪ7=E$/Av} mD>?GkoDL;*t'x||nƄ60cԱٍE|Syg!ldaзFZ)3)$ƙx <v<.;߭[(<A~A< v4*){+x̛f}ia;⻆–~@F'fiOX w+O*[QVD3|} rx|[vz_c\RF<7%we\_lZR| \B՞݊M@,2nm>ZQ-Fs?ٿS+xϷt4/`8[&5#,Ҝe6ՒVM&lş&98?~9/mr a&j7 mɵSr _j o=Cr8j4=ǹPx˻; } f/ Й޶92 YSՒҐQ UAtۘM =$dysQ4>o WH'a]dY@h{vg.H)iilqdmWh|O2}AomIgh/OP/`[uFĨ͍>C^ʈܓ5 KwNܔ' ܉uZn ЖdS9|'Cv$HwD)kB{K w@%-p/tg&4|p,vYDءd>Ԏ=ζO~tδ8>,B3L:W)gQjx\K3')nv%<$=7 8%T/$E",mƐ>w1քE]D:$+A1屔ӱy,L0Q -n&O6(C@A҇C 9$a6TZS*ʍ}j=rO7s-_ 5Bٳ>S!E`@Dq}uYմz)}:Py#Pb[HP1T=$LFyWΠь*G 4wȝR/EťRAuCZD !<q9w7EE."48nW_(_9z'6ަo吕tؖ.^*NY@T>H<؁灤iJDQ'h "pa6SkӋ!!#m=VbwrےKťPrgKNF}W껧BJAR*rDa6`6Alp2HQ TYږ*/E<TEhH]6fR7 jXƮl=~}#IHF@FK@W@/'OC5w""+O'=':}xߨL qףKtLa-m`XrO ! 0,k!"cm=Vb')I(mi rQՀƘJ{NvI*r)7*W-tʉ "[cH?(^jJ a!I}ٝHH- ^Omϛ4 \w|B÷TS`t@ЯV+c롷.B36Vf_`_+"z7S7S7S7S76* Zy׏A'ɦ& E2;;f ݁t b5/*J"L7b$L ev/?OKU$0L)J:@5.UA DE7\P6oԬHk}bNY:qgޜO>*辿zP t%m}Y|A/Mr4w.a# <+m;65' M ('b[RVŷo|Մćo6Is1 XOXu.A}i2 }!.%T^I!ˋ(qߢ f\t۾Ta _^ !5O8|3>$?%qHk-b+4 e0u}.ڞ'NؚeJc aHo3lwAit}H)M1>n`uI5GH|%їdC^ mI\_tch/tG"6ہ}8A31~uca0E8lpHl9 eI>U6?K[?7777Wn,UZ6Ƣ~ Z. uÞcX(TRԗ̾ ;> }Hz>hz  &%gfiD@Gа[ R)`m\?HKcTTN<_')l1?>V^晴|N\sٞCΛuQj>g掭  )M^O9>(,P `ٔوoF0IN ,AXֳif~ӾB%n1n.c@k !%`lc:G&O @kx|kmY71u$ ݷPonj0j^[vO|FlmJmEaByНZ{ۿ:ݡkZ_H){^HK|5՟zafq\O? +j5 {q'Û60޽态71<( sh~2d671<^II-=ڶ#l0M#ۀږű6axV.T~uσ dE͵8Og=] X6/Eb%Z~&w"Z[z=W?!,DSXubC4tF87emV3ƚy< mj$J ( > 5>Q+h νkojZ}|y_ڋK۪_xoۭ[T@E@krw2l [xzj=-Dw߁\<@E!/62\BnşmOAuũٛ*ȡ-9%T׏G`*׶/^0&EǹaI'0Vz*bdfiAh!Fv{Kb+S6QF$hkJj%5VE.+sYlg= : ċ*=P]bF).o3욶Acˠ˩kSt> D@# %[ rV%w>f~z*>Ose~f(u 5 ]P88?AHe|6 |L'DOx c1rtd'7%Z;P[ٓGA8@`m¬DRSN&d&41 r42; joE֙I 9b ˈLT'I6X棙bhܳ]:oAN95kr HX:yss)aR;$Q@<Pt4'l69Hol}7@Fà!s3fWtVjMD)J]W0u!xW`ǪZI]Wt'03nV?O1.4%WPRh 4 V cvGCT)>z@T€،X\Sݹ.0C9ݐ69tHq{=qwן5}&ZGݩ;ǽO'OgݫMjPhYxs3f&SE`9+Up4ħEd@zWB+RyT}Q}x +7O@rO?ٜ9{6w i=ɇusUN>_/Oisȁ]2g~.a9y9\3K̡Oѫ_}97[N%_^U\]_O/G@r5u}\C7@?79Ӈs߇s?>G39ۼ|osڿ͡Z'I9s}S)JuC/*ȋ5ৼ|B]7 ?GUϡiz9ZmuB99^}JNV*iz_!4.5Pk oY;3ݲ7*I g< }}e}QƗ*Cymo2: ^AQ𨐲FwE6e+&Ȭ-'hHt]f=g%%eX-0?Ut{2ٹWޕ\~Ufe+t1ϋ2<=seqbn?AR̥-c@#}q8G.ūu>k:7 q3Z #Càk p;#9^֪0`}x별o ҹj_ ;,љϚ%aSedzX3/P !F0 0<䤟=svڢ{~58]pޣ6pM\wʟn Bߑ&)xT-kZYoZԪ俒 ,D8çUUUEVrp` VUr `"$! L:QȀFuo*#F0njE=uÐa0Vы;BDO"'F81UYmRPH6T<'M~ m'MqgID{o0]& =Ɓ<^A[%' e5<X!WKKǾD|&߲kz  U*A8l`nxN0F?q[<7T߱ BD`|,!7C9Rhe.~Yϩȳ055]^LrKVʧ0Ip[N$d_jV`LzqcYRǔ030{_@G0mĤ@6H8&m :T#Zc1c͙PcPFĊ(1L;-i Oa!ҽ|۸<;zlF,fOnԙegR Hn<)O@j1x ?z!_L)8" CtSfyF41a&^Ϙ ˙fo<@p]5, !G+xTf;`16IXR/!I]mx} 0,~/(l- e'|}7{ /dq-+v0l®ϥovHyE_OD&M%|CbF$]t "!_Rah.y㶁! 3 I:val|J9J'"O j7;1Te]ZaiѶY ZQ/~lO(#k GL,>iЄ.Yp祎(hU|>cy祠iDK8$q:ۓm|?/Ge:з57b8P| >4(Na2)1F gwx}z 2m^;FfB~eaԐZϼ:;ʆo/rQF$V/1/y╔ul}+m=PX1+ NR &t;g # iۂv<׍ŵk[ƂIrz bd#Ѩ %תr&{+vyej  ؞տHQ#FY!A CWqk @{kųy6L= 1!j4]~0y-BL+6 IQE6;|,݈bZ"NJ i)9=O9.*JH6^?rCft*$o@˭k]Ag"a?_hy#?yb3S2wħ$Yw @ Ogq|A>&:x~eQg@xT\*O7 PY{鐻T7uG?<;n%5_;QyB;FLl4$ٷE&?#[7xq7WRTF^ZP$Di' AHEcۧݫN޿`*X[8Mlƛ|ǠbPlyTVK9Fvö36EOZ\֓RzvFًVSزM*_d%r RWW ūiS}&2eqba؄;!6BJkl{6 qz{)