Software security ain't just for geeks

A lot of security issues would be mitigated and alleviated if practices for ensuring the security of software were implemented on a continuous basis at the design and writing stages, rather than waiting for hackers to find and exploit the weaknesses and bugs. Unfortunately it almost always takes a costly and/or embarrassing hack or exploitation, like some of the egregious examples cited by Mr. Kabay in his article below, before organizations even consider doing something about it. Even then, the tendency is usually to look the other way and "hope" it won't happen again, rather than deal with things that involve political, cultural, and change management issues — or try to find a quick technical "fix."


Pushing for software quality assurance

By M.E. Kabay

Network World
March 17, 2010

In my experience, some programmers and program development managers resist investing time in software quality assurance (SQA). In a recent research article on "Resistance Factors in the Implementation of Software Process Improvement Project in Malaysia," from the Journal of Computer Science 4(3):211-219 (2008), the authors summarized extensive published research on why people resist SQA. Experts have found that there are several categories of stumbling blocks to integrating SQA into the software development process (Table 1, p 213):

• Human: failure to gain top-level, thoroughgoing support for process improvement.
• Political: perceptions of loss of power.
• Cultural: organizational resistance to changes in long-established patterns.
• Goals: unclear, undefined, unmeasured goals leave people confused and uncooperative.
• Change Management: SQA must be integrated with and support the mission-critical goals of the organization.

An essential step in implementing new SQA processes – and continuous process improvement (CPI) in general – in any organization thus involves convincing all involved stakeholders (employees, managers, shareholders and even customers) that the project is worth the effort. I have some ideas from teaching that may be helpful in this task.

One of the key steps in teaching is to show students why a subject is worth learning. My practice, developed through four decades of teaching, is to start every lecture with an informal overview of how a topic relates to the real world. Thus in discussing SQA in a management of information assurance course or a systems engineering course, showing students some cases where SQA was lacking is an entertaining way of bringing the message home vividly.

The Forum on Risks to the Public in Computers and Related Systems ("The Risks Forum") of the Association for Computing Machinery (ACM), ably run for more than 20 years by Peter G. Neumann, is a goldmine of reports on the consequences – some of them hilarious – of poor software design and failures of SQA. My now-slightly-elderly supplementary lecture from the IS342 Management of IA course at Norwich University has lots of slides you can use freely in your own presentation on SQA failures. Here are some of the stories that usually get my students' attention:

• A 3-year-old gets an IRS refund for $219,495.
• Microsoft publishes an unverified Spanish thesaurus which includes insulting slurs, resulting in a public relations debacle.
• The ENT Federal Credit Union ignores months of customer complaints about their automated teller machines, allowing the defective programming to count only the first withdrawal by a customer – and resulting in $1.2 million in losses.
• A dentist receives 16,000 identical copies of a tax form.
• Flintstones cartoon viewers in Springfield, Missouri are unexpectedly switched to watching the Playboy Channel.
• A vagrant applies to Sandoz for a $2 refund on a used bottle of Ex-Lax but receives a check in the amount of his ZIP code – $98,002 – and promptly disappears after cashing the check.
• A programming error in the First National Bank of Chicago system adds $900 million (yep, million) to each of 900 customer accounts for a total accounting error of $764 billion (yep, billion).
• Smith Barney adds $19 million to each of 525,000 accounts (for only a few minutes) for the largest accounting error in history: $10 trillion.
• Los Angeles County underpays its employee pension fund for 20 years due to a programming error, resulting in $1.2 billion in unexpected liability.
• And my favorite demonstration that nobody can do mental arithmetic anymore – a secretary accuses a professor of creating 4,294,967,026 copies in two weeks (3551 copies/second continuously 24 hours a day) because the photocopier says so – and removes his photocopying privileges!

Next time, I'll present an interesting study of the value of automated SQA testing tools.


M.E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his website for white papers and course materials.