Thursday, January 1, 2009

Geekonomics ... What does a bug really cost?

I recently finnished reading Geekonomics: The Real Cost of Insecure Software which is a very well written analysis of the problems caused by insecure software (or poorly written software if you like). This is a book that should be read by preferably everyone invovled in the development process, but at the very least all you architects out there should consider it a must read.

It paints a pretty grim picture, but is in now way exaggerated. Technology is digging itself deeper and deeper into the very fabric of our socities which brings us great advantages but also presents some very dangerous scenarios. This is a subject that has been nagging in the back of my head for about a decade or so (about the time when my first son was born), mostly when you talk on a topic like this people tend to think you are exaggerating. However as the book clearly shows there are numerous of well documented cases where the shit really hit the fan.

One such case is the hacker attack on Estonia in 2007 that more or less shutdown the goverment in Estonia just because they decided to take down a russian war monumental. Another incident is in the epilogue of the book which is a little nugget about when when world war 3 almost started due to a a software glitch in the russian radar system.

So whats the deal why do we have all these problems with software? Well there are many factors but one prominent one is the fact that most software vendors are operating in a marketbased economy without any governmental regulations in place. The market is supposed to be selfregulatory, but when competition is driven by constantly creating new features and not necessarily by utility secure software is not allways on top of the list. Writing truely secure software is very hard and comes with a high monetary cost but little or no "bling bling". The whole software industry is operating in a "just ship it" mode or as Guy Kawasaki very eloquently put it:

“Don't worry, be crappy. Revolutionary means you ship and then test...”
The author concludes that the tipping point for when it is impossible to take back control over software is rapidly approaching. We need to put into place govermental regulations for markets that affect our infrastructure as a whole, licensing of software developers needs to be put into place and we need to take away the absolute immunity granted to the software manufactors by adhesion contracts.

He also proposes a intressting idea about vunerability taxes that would work similar to pollution taxes the more defects you unleash on the market the higher the taxation. This an intressting concept but it has some issues when applied in a competitive market.

Personally I think that we need to put all the above into place but we also need to apply the mentality of "act local, think global" and as software developers we need to take pride in what we do and consider our work more of a craftmanship.

No comments:

Post a Comment