Software bugs: Recipe for cyber disaster

Software bugs are a fact of life. With all the tools and technology we use, they exist in virtually every piece of code placed into operation. There are a multitude of metrics available out there, and arguably the one most commonly sited appears to indicate that there are between 10 to 20 defects per 1,000 lines of code (KLOC). Most of these are caught during the multiple levels of testing that take place during the software development and quality assurance processes. All the testing and reviewing of the code reduces the KLOC to about 0.3 defects per KLOC in the production version of the software.

Two benchmarks are worth noting. First, based on a fairly robust history, there were an estimated 0.1 defects per KLOC in the space shuttle flight software. Second, as of 2012, the Linux 3.2 release had 14,998,651 lines of code.

So why don’t we just find and remove the remaining bugs? There are multiple factors influencing software quality. Time, cost, diminishing returns and the fact that we have all been mentally programmed to accept software bugs as a fact of life, and we do. These errors cause system freezes, blue screens of death and other issues with which we are all too familiar. In many cases, they also become a security issue, which is often the point of exploitation for hackers and malicious code.

Enter the bug bounty. Some companies offer some kind of reward for those that are the first to find and report to them bugs in their software. Once discovered software developers have a process in place to investigate the report, correct it and release a patch to be applied to the software in production.

The biggest issue is that criminal organizations, cyber terrorists, cyber espionage agencies and militaries creating cyber weapons are looking for bugs to exploit as well. While there are no hard numbers, you can bet that there are many more resources looking for the bugs for illicit activities and profits then there are for improving software quality. That will not change any time soon.