[trustable-software] Does Code Reuse Endanger Secure Software Development? [slashdot]

Don Brown don.brown at codethink.com
Tue Dec 20 12:33:30 UTC 2016 

Hi Everyone,

Allow me to preface this post by saying that I understand that testing 
is only one component of Software Quality, but I am thinking about this 
from the "developer, or development team at his or her desk working on a 
project with a budget and timeline to meet." Also, I am picking on the 
Boost Library as an example of a third-party library that I may need to 
accomplish the project effectively.

With that being said:

It occurred to me that re-using code from a previous project raises an 
interesting question regarding the proof of software quality.

    - If I am re-using my own code that I deployed in a previous project, 
my confidence, or trust, in re-using that code is far higher than 
re-coding those parts for the new project.
    - If I am re-using code from a well-respected, third-party source 
such as the Boost Library, my confidence, or trust, is a bit lower, but 
still pretty high.
    - If I am re-using code that I downloaded from 
"www.this-will-fix-all-your-problems.com," my confidence, or trust, is 
very low and re-writing it may be my best option.

Then I started to ask myself "Why?" for each scenario above.
    - Some code that I write might have those long-term dormant bugs that 
was pointed out by Paul in his response.
    - Some code that I include from a well-respected, third-party source 
like Boost could also contain those long-term dormant bugs just waiting 
to be exploited - completely unknown to me.
    - However, if I try to re-write the Boost library I guarantee the 
number of bugs will be far higher - if I can even get it to work

It seems to me that code re-use is very necessary to complete project in 
a timely manner. It does speed up development, but you inherit all the 
bugs that go with it.

When we download the Boost library version x.y, we have ways of checking 
that what I downloaded was what the developers creates via an MD5sum. We 
need the same thing for the testing. Granted, it won't be as easy as 
running a checksum, but what if I could download the tests that were run 
against the Boost Library so I can have the same confidence in that 
version that the developers had when they released it?

This connects the testing of the code to the code itself. It would be 
far easier for a developer to download Boost and its testing library, 
run the tests and evaluate the results. If it fails one, I am alerted to 
a potential bug. If it passes the tests, then I can assume the same 
confidence in that version as the developers of Boost have. I have now 
duplicated one step of the Boost developer's software release process 
that gave them the confidence to release that version in the first 
place.




-- 
Don Brown
Codethink, Ltd.
Software Engineering Consultant
Indianapolis, IN USA
Email: don.brown at codethink.co.uk
Mobile: +1 317-560-0513

More information about the trustable-software mailing list