News

CEO complacency blamed for bug incursion

• By John K. Waters
• August 25, 2003

Last week was a wretchedly wormy week -- maybe the worst ever for computer virus attacks. With the MSBlaster worm still at large, SoBig.F slithered onto the scene and quickly earned the title "fastest-spreading e-mail virus," only to be followed by "Voyager Alpha Force," which targets SQL Server databases.

Not surprisingly, many industry watchers are opining on this slimy turn of events. One of the more pointed, if not downright incendiary, commentaries came on Friday from Adam Kolawa, CEO at software testing toolmaker Parasoft Corp., Monrovia, Calif.

"Our lives and businesses revolve around our computers," Kolawa said in a statement issued by his company. "We cannot afford to be constantly bombarded with viruses and worms. Today's CEOs have become complacent, putting up with development delays, cost overruns and tolerating inferior software. They have been lulled into accepting the message that 'bugs' are just part of the deal. As a result, operating systems are vulnerable to these attacks. There is a solution to stop this madness. When are people going to listen?"

Why do software developers ship products that are vulnerable to the mad machinations of virus writers? The heart of the problem, Kolawa said, is the widespread practice of going after bugs at the end of the software development process. By then, be believes, it's too late, because the bugs have been replicated too many times and have become too widespread, making it difficult to detect all flaws and leading developers to ship vulnerable products.

Kolawa's solution, which he declared with characteristic zeal "will even help Microsoft," revolves around his Automatic Error Prevention (AEP) methodology, which draws on the theories of industrial analyst W. Edwards Demming, who applied the concept to assembly-line production. "At the end of a television set production line, the TV is tested," Kolawa explained. "If there's a problem, it's the flaw in the production line that's repaired, not each individual TV set. Executives responsible for production line products, such as cars, televisions, even refrigerators, have been using AEP for many years. Car manufacturers do not wait until the end of the line to test various parts or systems of a car. That would be ridiculous, and ridiculously expensive."

Kolawa, co-author of "Bullet-proofing Web Applications" with Cynthia Dunlop and Wendell Hicken (John Wiley & Sons, 2001), believes that the software industry must "mature" to arrest and eradicate these breaches in software. Maturing, he said, means changing the way the industry deals with bugs.

"Why do people think that it is OK to do this in the software industry?" he asked. "There is a solution to all of these bugs, worms and viruses -- prevent them! How much damage has to be done before this market will mature?"

In his statement, Kolawa cited statistics from the National Institute of Standards and Technology, which put the cost of software errors at approximately $60 billion a year. "I am sure many CEOs would like to use their portion of that $60 billion, previously wasted, on another project," Kolawa said. "I wonder what the shareholders would say if they knew that these expenses could be eliminated?"