Why is it that after much discussion over many years are we
still talking about software vendors putting to market applications that are
plainly not ready for prime time?
Applications with numerous bugs, undocumented quirks, and security holes
are being developed and sold everyday by large software companies and independent
application developer alike. Is it that
code inspections are not widely implemented or that the testing performed is
not comprehensive enough? What is code
inspection and how does a software vendor’s management along with human nature
interact together to play a role in this problem?
Code inspection is a very in-depth review of code that puts
a group of people together to go through the logic of each line of code in an
application. The first problem that
comes to mind is that applications can range from a few lines of code to
several million and it becomes apparent that the task of code inspection could
be a very long, tedious, and demanding ordeal for those involved in the
review. This brings me to the next point
of discussing who would be involved in the review. One group involved would be
the developers of the application and there will be several others
involved that are either programmers themselves and/or are professional application
testers. From the perspective of the
application developers, this process could have the look and feel of an
inquisition and they may not be too forthcoming during the process. In the event that all those involved are
cordial, professional, and the application developers do not take offence
easily to close inspection of their work, then the process should run
smoothly.
Code inspection by these teams can normally be performed at
a rate of about 150 lines of code per hour and if my math is correct, a medium
sized application with 99,000 lines of code would take approximately 660 hours
to complete or over 82 eight hour days.
Of course, breaking the task into multiple blocks for several teams to
work on would reduce the timeline but may not be advantageous because the
benefit of continuity and cumulative knowledge gained by reviewing the
application from start to finish, which contributes to better inspections, would
be lost. Then there is the issue of it
being almost humanly impossible to spend an entire 8 hour work day reviewing
code, therefore a more realistic amount of time per day to review code is 5
hours, which would increase the overall timeline for completion, in this
example, to almost four and a half months.
Unfortunately, management of many software companies don’t
fund such an in-depth review process and may permit only a cursory inspection
then adapt a stance that it will develop patches if and when errors are
reported by consumers. Software
developers that create applications that control medical and safety equipment
do not normally take this approach, but there have been cases (the Therac-25
radiotherapy machine comes to mind) where complete inspections and testing were
not performed and lives were lost.
Customers normally, and understandably, believe that they
have a fiduciary relationship between them and the companies that sell them
products. This human nature of trust
extends to software developers where they believe that the vendor has done its
due diligence to ensure that the application is free from defect and that they
are purchasing a quality product. We
know that this is not always the case, particularly when you read the licensing
agreements…yes, the licensing agreement.
That is the text you first see when installing an application and
completely explains the rights afforded to the consumer and the rights afforded
to the vendor. Clicking the “I
Understand” box and then clicking on “Next” without reading it, as most people
do, will prevent the customer from realizing that usage, or merely the
installation, of the application signifies full acceptance of the terms which
invariably has a provision that indemnifies the application developers or the
software company from any liability stemming from the usage of the
product.
Perhaps the solution to this seemingly age old problem is
the introduction of legislation requiring the elimination of such clauses from
licensing agreements which may, eventually, become the catalyst in the
development of defect free software. |
