Sunday, February 25, 2007

More Engineering

I hate to keep doing this, responding solely to other people's posts.... but here goes again.

Sylvan wrote about other classes of software: Web Application Security Compared to Other Software.

I think that while the point is taken that web apps are thrown together without a lot of thought, most other software is too. Take a look at the number of network vulnerabilities out there, the bugs in something as critical as Cisco's IOS and you'll come to believe there aren't a lot of examples of software being done "right" at least by engineering standards.

There are a few cases where we don't hear of lots of issues - places where either regulation requires a certain standard of due care (financial systems) or where safety is involved (flight control, traction control, x-ray machine, etc).

Its only those cases where there are strong liability concerns that we actually have what could even be called "engineered software." Everything else is, in my estimation (granted I'm not omniscient), pretty crap by comparison. If nothing else its because the people who wrote it may take pride in it, but aren't exactly staking their life on it and/or jail time.

That said, mistakes do still happen. Read Risks Digest for a few months and you'll start hearing of lots of things you couldn't have imagined were possible.

Still, every time I read an article in Risks about root cause analysis on a flight control system or train signal system I'm reminded how far we are from being able to do that sort of analysis and lessons-learned on regular software.

Oh, and on a final note anyone have any estimates on what it would take to fund a real class-action suit against a mainstream software maker for negligence and/or non-fitness for purpose? Wondering what sort of fund we'd need to put together to get a lawyer to take the case and how much we figure it would actually take to litigate and get some case law out there. A dangerous idea no doubt, but worth thinking about.

No comments: