Digital Conflict

By Kevin Coleman

Blog archive
Kevin Coleman

Software bugs: Recipe for cyber disaster

Software bugs are a fact of life. With all the tools and technology we use, they exist in virtually every piece of code placed into operation. There are a multitude of metrics available out there, and arguably the one most commonly sited appears to indicate that there are between 10 to 20 defects per 1,000 lines of code (KLOC). Most of these are caught during the multiple levels of testing that take place during the software development and quality assurance processes. All the testing and reviewing of the code reduces the KLOC to about 0.3 defects per KLOC in the production version of the software.

Two benchmarks are worth noting. First, based on a fairly robust history, there were an estimated 0.1 defects per KLOC in the space shuttle flight software. Second, as of 2012, the Linux 3.2 release had 14,998,651 lines of code.

So why don’t we just find and remove the remaining bugs? There are multiple factors influencing software quality. Time, cost, diminishing returns and the fact that we have all been mentally programmed to accept software bugs as a fact of life, and we do. These errors cause system freezes, blue screens of death and other issues with which we are all too familiar. In many cases, they also become a security issue, which is often the point of exploitation for hackers and malicious code.

Enter the bug bounty. Some companies offer some kind of reward for those that are the first to find and report to them bugs in their software. Once discovered software developers have a process in place to investigate the report, correct it and release a patch to be applied to the software in production.

The biggest issue is that criminal organizations, cyber terrorists, cyber espionage agencies and militaries creating cyber weapons are looking for bugs to exploit as well. While there are no hard numbers, you can bet that there are many more resources looking for the bugs for illicit activities and profits then there are for improving software quality. That will not change any time soon.

Posted by Kevin Coleman on Apr 19, 2012 at 9:03 AM


Reader Comments

Mon, Apr 23, 2012

I think the Government should go to Open Source and drop M$.

Mon, Apr 23, 2012 Don Martin Washington, DC

The article assumes the adversary can get to the server to exploit the software. There is new technology that causes the server to go dark on the open Internet and only those credentialed can reach the server. Additionally, by obliterating the data on the back end, you remove any incentive to attack the server - they will never get to the data.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Defense Systems eNewsletters