Its been awhile since there was a bugs vs flaws debate, so here is a
snippet from Jaron Lanier
Q: What's wrong with the way we create software today?
A: I think the whole way we write and think about software is wrong.
If you look at how things work right now, it's strange -- nobody --
and I mean nobody -- can really create big programs in a reliable way.
If we don't find a different way of thinking about and creating
software, we will not be writing programs bigger than about 10 million
lines of code, no matter how fast our processors become. [After
publication of this interview, Jaron Lanier realized that his sentence
should read: "bigger than about 20 to 30 million lines of code...".]
This current lack of scalability is a universal burden. There are
monopolies in our industry because it's so difficult for anyone to
even enter the competition; it's so hard to write large software
applications. And that's strange to me. If you look at other things
that people build, like oil refineries, or commercial aircraft, we can
deal with complexity much more effectively than we can with software.
The problem with software is that we've never learned how to control
the side effects of choices, which we call bugs. We shouldn't be
complacent about that. I still believe that there are ideas waiting to
be created, and that someday we will have new ways of writing software
that will overcome these problems. And that's my principal
professional interest. I want to make a contribution to making bugs go
Q:Aren't bugs just a limitation of human minds?
A: No, no, they're not. What's the difference between a bug and a
variation or an imperfection? If you think about it, if you make a
small change to a program, it can result in an enormous change in what
the program does. If nature worked that way, the universe would crash
all the time. Certainly there wouldn't be any evolution or life.
There's something about the way complexity builds up in nature so that
if you have a small change, it results in sufficiently small results;
it's possible to have incremental evolution. Right now, we have a
little bit -- not total -- but a little bit of linearity in the
connection between genotype and phenotype, if you want to speak in
those terms. But in software, there's a chaotic relationship between
the source code (the "genotype") and the observed effects of programs
-- what you might call the "phenotype" of a program.
And that chaos is really what gets us. I don't know if I'll ever have
a good idea about how to fix that. I'm working on some things, but you
know, what most concerns me is what amounts to a lack of faith among
programmers that the problem can even be addressed. There's been a
sort of slumping into complacency over the last couple of decades.
More and more, as new generations of programmers come up, there's an
acceptance that this is the way things are and will always be. Perhaps
that's true. Perhaps there's no avoiding it, but that's not a given.
To me, this complacency about bugs is a dark cloud over all
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.