Software Quality Gets Better through Standardization NOT Innovation


DARPA's quest for better software quality is honorable but misguided.

Terminator 2: Judgment Day, Carolco Pictures

DARPA, the US military agency that oversees the technologies used by the military is looking for innovative ways to improve software quality. To make this happen, it’s soliciting proposals from private organizations to help them come up with new ways to make software quality and security work. The agency is looking for unconventional approaches that, as they put it, “have the potential to radically change the established practice.” DARPA says the current software quality methods don't work well.

But is this really the right approach? Do we need innovative, self-healing systems, or should we instead take a step back and look at whether we're even implementing our software correctly using what we already know –patterns, best practices and standards.

Let's face it; we all know software is filled with bugs. An app on your phone crashes and you simply restart it. A website messes up and just refresh the page and forget it. People have come to expect this kind of behavior. But then something big happens that we can't just shrug off: A major retailer's servers are hacked, and data is stolen. Banks respond, people react, and while this was a big deal, six months later everything settles down and our lives go back to normal. Until it happens again.

Everybody agrees that this is not good, and while people may have grown accustomed to it, DARPA must have hit its breaking point as it sees systems contunually getting broken into. Now, DARPA is looking for something innovative. And when it finally establishes some new and novel ways to fix it, what will happen when those measures are cracked? Come up with even more new and novel ways?

Perhaps this isn't the answer. Perhaps we need to look at what we have and ask ourselves: Are we truly following software engineering best practices? Are we truly capable of creating code that is reliable, secure, and stable? Is quality software possible?

Consider the reality of how systems are broken into. We hear on the news that a password file used the wrong kind of hashes. We hear that a program has a vulnerability that allows a “Shellshock” attack, whereby somebody can gain unauthorized access to the computer. Then we all install the patches.

But what are these patches fixing? An underlying bug in the encryption? No. Today's encryption is still strong, requiring thousands of years of computing power to break. What they're fixing is almost always problems in how the encryption was coded and implemented. They're fixing a software programmer's mistake, not the encryption algorithm itself.

The answer is for programmers to learn the best practices, for managers and executives to use tools that can give them high-level reports on whether the software is constructed using the best practices, sound software engineering techniques, architected well, and to understand if software developers or IT vendors are taking shortcuts. Mistakes happen, and often these mistakes are due to a programmer not being aware of a security risk in his or her code. Certain types of vulnerabilities (such as SQL injection) are easy to avoid, provided the programmer knows to write code correctly to avoid the problem.

DARPA's mission to improve software quality is honorable but misguided. We need to continue striving towards better execution in our software, and make use of the software quality tools and technologies available to us to help us find the problems in our code, rather than simply throw away our old approaches. Only then will we finally have quality software that we all safely can count on.


Filed in:
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Jeff Cogswell
Jeff Cogswell Full Stack Developer
Jeff Cogswell is a Software Developer at Keypath Education and is responsible for producing high-quality, scalable, cloud-architected software and desktop applications. With more than 20 years of experience working in the software field, Jeff is an expert in scalable development using AWS, node.js, SQL and NoSQL.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item