Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Programmers Learn to Check Code Earlier for Holes

Posted by Zonk on Thu May 04, 2006 02:15 PM
from the good-practice dept.
Programming IT Technology
Carl Bialik from WSJ writes "Many companies are teaching programmers to write safer code and test their security as software is built, not afterward, the Wall Street Journal reports. This stands in contrast to an earlier ethos to rush to beat rivals with new software, and, of course, brings tradeoffs: 'Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.' The WSJ focuses on RIM and Herb Little, its security director, who 'uses Coverity every night to scan the code turned in by engineers. The tool sends Mr. Little an email listing potential red flags. He figures out which problems are real and tracks down each offending programmer, who has to fix the flaw before moving on. Mr. Little has also ramped up security training and requires programmers to double-check each others' code more regularly.'"
+ -
story

Related Stories

[+] Technology: Firefox Analyzed for Bugs by Software 226 comments
eldavojohn writes "In a brief article on CNet, a company named Coverity announced that Firefox is using software to detect flaws in Firefox's source code. Even more interesting is the DHS initiative for Coverity to use this same bug detection software on 40 open source projects." An interesting tidbit from the article: "Most of the 40 programs tested averaged less than one defect per thousand lines of code. The cleanest program was XMMS, a Unix-based multimedia application. It had only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines of code. The buggiest program is the Advanced Maryland Automatic Network Disk Archiver, or AMANDA, a Linux backup application first developed at the University of Maryland. Coverity found 108 bugs in its 88,950 lines of code, or about 1.214 bugs per thousand lines of code." We've covered this before, only now Firefox is actually licensing the Coverity software and using it directly.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Programmers Learn to Check Code Earlier for Holes 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • This just in: (Score:5, Funny)

    by r_jensen11 (598210) on Thursday May 04 2006, @02:17PM (#15264310)
    Writers are encouraged to proofread.

    • Re:This just in: (Score:5, Insightful)

      by Anonymous Coward on Thursday May 04 2006, @03:15PM (#15264823)
      No point you proofreading you own code. You see what you think you've written, not what you've actually written, therefore don't spot any problems with it.
      The trick is to get 2-3 other people to review it.

      1. The earlier you spot a defect, the cheaper it is to fix.
      2. Test results are only as good as the test code written.
      3. Edge cases don't normally show up in test code. Test cases are typically designed to show that the code works, rather than finding the boundary where it fails.
      4. You can suggest better ways of writing the code/learn new tricks during code reviews.

    • Wow. A 'Developer' article (Score:5, Insightful)

      by ishmalius (153450) on Thursday May 04 2006, @04:14PM (#15265303)
      I'm just so happy that a "Developer" article actually made the front page. I have been afraid that the tech level of the audience of Slashdot has been falling lately. Compare it to the number of "Game" articles on the front page.

      But to stay with the topic, analysis tools are just that: tools. They are not a cure to chronic software problems. Developers are not excused from the responsibility of at least attempting to write quality code.

      Some current project development methods really contribute to buggy and insecure code. Example: XP. I really think that some aspects of XP programming are a bad idea. Namely, the "code as fast as you can" aspect of it is fraught with errors. A more thoughtful, disciplined approach might seem like it is terribly slow. Yet being inherently less buggy, it can reach the target faster than the sloppier, more haphazard approach. This is much like the Tortoise and the Hare. Or maybe a better analogy would be like a rally driver who is more careful with his fuel and tires.

      Don't get me wrong. Some parts of XP are fine. The Buddy System is an excellent way to get things done quickly by short-circuiting the collaboration cycle.

  • static_analysis++ (Score:5, Interesting)

    by tcopeland (32225) * <.tom. .at. .infoether.com.> on Thursday May 04 2006, @02:17PM (#15264311) Homepage

    Static analysis is great stuff. I've worked on an open source Java static analysis tool, PMD [sf.net], for the past few years and I've gotten lots of feedback from folks who have used it to find all sorts of things in their code. Just a quick scan for unused variables can yield some excellent results, and the copy/paste detector works quite nicely too. And there's a book, too! [pmdapplied.com]

    Coverity's doing a nice job with their tech marketing, too - l think a couple of open source projects are using the stuff they found to clean things up. At least, there's been a fair amount of traffic on the Ruby [ruby-lang.org] core list about some things Coverity's scan found. Good times...

    • Re:static_analysis++ (Score:5, Informative)

      by Stellian (673475) on Thursday May 04 2006, @02:46PM (#15264591)
      Enough whith Coverity allready. It's like the 50th slashdot article that talks about this.
      FYI, it costs about 50.000 $ for a medium sized project (500.000 lines), and is no more than a lint on steroids. Here [infoworld.com] is a somewhat cheaper competitor.
      None of this tools is a mach for a manual audit performed by a professional.

      • Re:static_analysis++ (Score:5, Insightful)

        by IamTheRealMike (537420) on Thursday May 04 2006, @04:31PM (#15265454) Homepage
        FYI, it costs about 50.000 $ for a medium sized project (500.000 lines)

        Yes it's incredibly expensive. Yet, plenty of well known companies pay for it, so I suspect it's worth it to them.

        is no more than a lint on steroids.

        Er, no. No, no, wrong, no.

        I've got access to the Coverity results for WineHQ. It's already found many problems that evaded both manual code review and unit testing. Its rate of false positives is remarkably low once properly configured. A lot of these problems would only occur in obscure circumstances or on error paths - but these are precisely the kind of errors that unit testing tends not to reveal. It can detect problems like race conditions or memory leaks that lint cannot. The recent X security bugs were revealed by the tool first.

        I've seen tools like this before, but not one as good as this. I've never used competing commercial products, so cannot speak as to their effectiveness, but for a large C++ codebase I would certainly be happy to have such a tool helping me out.

        Microsoft have used similar programs developed by MS Research on the Windows codebase for some time now and they're apparently very effective. Quite a lot of security problems revealed by them were silently fixed along with other problems in updates.

        None of this tools is a mach for a manual audit performed by a professional.

        Totally wrong. Every patch that gets checked into Wine passes code review by at least Alexandre who is without question the best programmer I've ever met. He is easily as good as Linus but his much quieter and more conservative personality means he doesn't get Linus' press attention (a good thing, imo). And all the patches are posted to a public mailing list where several other people can and do review patches too.

        Static analysis can reveal problems that simply don't get spotted by the human eye because they're too complicated to follow, because they occur in very weird situations, or because the code evolves over time under the direction of many different people and inconsistencies creep in.

      • Re:static_analysis++ (Score:5, Insightful)

        by Coryoth (254751) on Thursday May 04 2006, @03:18PM (#15264844) Homepage Journal
        Also, back on topic, try writing financial software some time. It's like a different world. Everything is unit tested, and the unit tests don't so much check for bugs as prove that your code works.

        Unit tests don't prove your code works any more than drawing a few right angled triangles and measuring the sides proves Pythagoras' theorem. If you want to prove your ode works you use a theorem prover. To do tht you usually need to provide more detailed specification (beyond just type signatures) about how your code is intended to function. That tends to be more work, though if you really need to know your code is going to work it can often save time in the long run (over ridculously long and exhaustive testing). There are things out there that provide toold support for theorem proving aout your code: SPARK Ada [wikipedia.org] along with the SPARK tools provides a powerful theorem prover, and HasCASL [uni-bremen.de] with CASL tools (including the HOL theorem prover) provides string theorem proving for Haskell. Even ESC/Java2 [secure.ucd.ie] utilises a theorem prover (called Simplify) to provide extended static checking of Java code. I'm sure there are more examples.

        My point is not that Unit testing is bad (it's very good), but that you shouldn't overstate its effectiveness. Unit tests are a great way to provide a reasonable degree of assurance that your code will hopefully ork as intended. It isn't a substitute for actual assurance however. It really depends on exactly how sure you need to be - how much an error will cost, and whether that can be tolerated.

        Jedidiah,

          • Re:static_analysis++ (Score:4, Insightful)

            by Coryoth (254751) on Thursday May 04 2006, @03:42PM (#15265027) Homepage Journal
            I've worked in industry as a mathematician. When we say we're going to prove something we actually prove it, rather than just tossing out a few random examples for demonstration. Given that a piece of software is, at its heart, just a lot of mathematics, and the fact that it really is possible to prove things about code in the real sense of the word, I would be very careful about saying you "prove" your software works.

            Jedidiah.

  • I hold any bet (Score:5, Insightful)

    by Opportunist (166417) on Thursday May 04 2006, @02:20PM (#15264352)
    After missing a few deadlines, the marketing goons will push to abandon security for more crap on the shelves.

    After all, that's how the software market works. People buy anything. "LOOK! THE NEW (insert program/OS name here)! I MUST HAVE IT!"

    Stable?
    Secure?
    Mem-leak free?
    In one word: FINISHED?

    Who cares? It's new, it's shiny, it's been all over all the mags and preview pages, the hype is on, WANNAHAVE!

    And as long as we keep buying the unfinished crap, it won't change.

    Yes, I'm sure everyone in the tech departments would see this as the right way to go. Test your software, preferably during development, not afterwards. Go through memleak tests, go through stability tests, have some experienced whitehats poke at it, and if it survives, let it go into beta.

    If anyone gets that idea past marketing, I will bow down to him.

  • Catch 22? (Score:3, Insightful)

    by Tourney3p0 (772619) on Thursday May 04 2006, @02:21PM (#15264354)
    Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.

    Alright, so writing better code means you might miss a deadline. But not writing better code means.. things are exactly as they've always been, or the software development cycle will be revamped appropriately?

    Not much of a catch 22.

  • QA is..... (Score:3, Funny)

    by Wisp (1763) on Thursday May 04 2006, @02:23PM (#15264376) Homepage
    The new Black!

  • I do this personally. (Score:3, Insightful)

    by cableshaft (708700) <cableshaftNO@SPAMyahoo.com> on Thursday May 04 2006, @02:26PM (#15264400) Homepage
    I usually do some quick general design and planning beforehand, then go in and write the software one element at a time, testing to make certain it works properly before moving on to the next. The benefits seem to far outweight doing it the other way, for me, as it reveals problems I wouldn't have noticed in the planning stages in the design or implementation early, and it also helps isolate where any bugs would be located at, so I'm not checking all over the place.

    I'm not sure if it really saves me any time in the long run, but I'm much more comfortable coding this way, which is probably more important.

    Also, so far, I've been the only coder for my projects at work and my games at home, so it *might* not be quite as effective for large teams, although what I've read on XP seems to suggest that it can still be very effective.

  • Catch-22 (Score:5, Informative)

    by kentyman (568826) on Thursday May 04 2006, @02:26PM (#15264404)
    Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.
    That's not a Catch-22 [wikipedia.org]. That's just a tradeoff.

  • Ain't gonna last (Score:5, Funny)

    by FiveDollarYoBet (956765) on Thursday May 04 2006, @02:27PM (#15264412)
    Those aren't security holes.... They're undocumented network transfer features!

    It sounds good and all but there's a direct correlation between the deadline and how bullet proof the code is.

    insert sig here

  • Well I learned that at Uni (Score:5, Interesting)

    by Yrd (253300) on Thursday May 04 2006, @02:28PM (#15264425) Homepage
    Correct-by-construction programming is a fundamental part of a proper education in software engineering, I would have thought.

    Where did these people learn to code?

  • That's why... (Score:5, Funny)

    by GillBates0 (664202) on Thursday May 04 2006, @02:29PM (#15264430) Homepage Journal
    I always make sure I use the highest quality bits when I program. You'll find none of those low-quality, flimsy and occasionally perforated bits in my code.

    Agreed, periodic checking for holes has it's own value, but nothing beats using the best quality, industrial-strength (tm) bits to start with, moreso while developing reliable software in the post-911 world.

  • This Just In From Microsoft (Score:5, Funny)

    by Metabolife (961249) on Thursday May 04 2006, @02:31PM (#15264455)
    After taking this training routine, Microsoft says that Vista will be delayed another 2 years.

  • gets() and people (Score:4, Insightful)

    by mkiwi (585287) on Thursday May 04 2006, @02:32PM (#15264466)
    Sometimes it amazes me what people do with the C programming language, for good or for bad. Take some pro programmers who I caught using gets() instead of fgets(). I'm not a rocket scientist, but I'd say anything that uses gets() is a serious problem, since that function does no bounds checking and is prone to attacks.

    How do people learn to code like this? Is it just early habits that do not go away?

  • OT: not a Catch 22 (Score:4, Insightful)

    by cain (14472) on Thursday May 04 2006, @02:32PM (#15264468)
    The example in the write up is not a catch 22 [wikipedia.org]. A catch 22 requires two things be done, each one before the other, thus neither can be done.

  • Thinly veiled ad? (Score:5, Insightful)

    by Mr Z (6791) on Thursday May 04 2006, @02:37PM (#15264515) Homepage Journal
    Is it just me, or does the article just read like a thinly veiled advertisement for Coverity? It's reads like a generic commercial template: "Meet Bob. Bob thought everything was fine. But then he discovered he had Problem X. That's when Bob discovered Company Y with Solution Z." (etc. etc.).

    • Re:Thinly veiled ad? (Score:4, Interesting)

      by cant_get_a_good_nick (172131) on Thursday May 04 2006, @02:41PM (#15264548)
      Seems they've been astroturfing for a while. wasn't that long ago they did a big writeup on flaws Coverity found in certain FLOSS projects. at least then they found some bugs and helped fix.

      I'm all for tools like this. YOu can find a billion text editors on sourceforge.net but very few good programmers tools. Just this smells like an add for me.
  • Tools are a cost effective way of checking source for lots of different kinds of problems. I have no direct experience of the Coverity tool, but see that they are certainly good at getting lots of publicity. A List of static analysis tools [wikipedia.org] is available on Wikipedia.
  • If being careful makes you miss the deadline, then the deadline is set wrong. Shipping a product with security holes that you knew about + could've fixed with a bit more time is how we got into the position we're in. Pushing back a release date to fix them first should be the rule, not the exception.

  • Obligatory Fight Club (Score:4, Funny)

    by Weaselmancer (533834) on Thursday May 04 2006, @02:57PM (#15264671)

    Narrator: A new program written by my company is shipped on time, but with bugs. The network stack locks up. The OS crashes and burns and scrambles the hard drive. Now, should we initiate a code review? Take the number of licenses in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a code review, we don't do one.
    Business woman on plane: Are there a lot of these kinds of bugs?
    Narrator: You wouldn't believe.
    Business woman on plane: Which software company do you work for?
    Narrator: A major one.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.