blog

Squashing Bugs : How testing can help improve Software Quality

Early days of software development industry

In the early days of the software development industry, software was created by individual programmers or small teams of programmers working on their own. 

There were no established best practices or standards for software development, and the focus was on creating functional software as quickly as possible. This often resulted in software that was difficult to maintain or modify, and many early software projects were abandoned before they were completed. 

As the industry grew and matured, software development practices began to evolve, and the focus shifted from simply creating functional software to creating high-quality, maintainable software. 

Today, the software development industry is highly organized and standardized, with well-established best practices and a focus on creating robust, reliable software.

When did software discipline appear?

The concept of software discipline has been around since the early days of the software development industry. However, the term “software discipline” itself did not appear until the 1980s, when it was first used to refer to the principles and practices that software developers should follow to create high-quality software. 

Since then, the concept of software discipline has evolved and expanded, and today it encompasses a wide range of practices, including software design, coding, testing, debugging, and maintenance. And the humans who develop software are in the tens of millions rather than a few handfuls.

Being humans, these millions of people who write software for billions of computers make mistakes; lots of them. Fred Brooks, in his well-known and classic text on the challenges of software development says this about programmers:

“First, one must perform perfectly. The computer resembles the magic of legend in this respect, too. If one character, one pause, of the incantation is not strictly in proper form, the magic doesn’t work. Human beings are not accustomed to being perfect, and few areas of human activity demand it. Adjusting to the requirement for perfection is, I think, the most difficult part of learning to program.”

Flawless software?

It is generally considered to be impossible to create software that is completely free of bugs or errors. This is because software is complex, and even the most carefully-written code can contain errors. Additionally, as software systems become more sophisticated and are used in more diverse environments, the likelihood of bugs appearing increases. Therefore, it is generally accepted that all software will contain some bugs, and the goal of software development is to minimize the number and severity of these bugs as much as possible.

They can range in severity from minor annoyances that do not affect the functionality of the software, to major problems that can cause the software to crash or compromise the security of the system. Bugs are typically discovered through testing and debugging, and they are typically fixed by modifying the code to eliminate the error.

Common types of bugs

There are many different types of bugs that can exist in software. Some common types of bugs include:

  • Syntax errors: These are errors in the structure of the code, such as missing punctuation or mismatched brackets. Syntax errors are typically detected by the compiler or interpreter, and they prevent the code from being executed.
  • Logic errors: These are errors in the logic of the code, such as incorrect conditional statements or incorrect calculations. Logic errors can cause the code to behave in unexpected ways, but they do not prevent the code from being executed.
  • Runtime errors: These are errors that occur while the code is running, such as trying to access an array index that is out of bounds or dividing by zero. Runtime errors can cause the code to crash or behave in unexpected ways.
  • Semantic errors: These are errors in the meaning of the code, such as using the wrong variable name or calling the wrong function. Semantic errors can make the code difficult to understand and can cause other errors downstream.

  • Security vulnerabilities: These are errors in the code that can be exploited by attackers to gain unauthorized access to the system or its data. Security vulnerabilities can include things like buffer overflows, SQL injection, and cross-site scripting.

How much time is spent on debugging and code fixing in the software industry?

It is difficult to say exactly how much time is spent on debugging and code fixing in the software industry, as it can vary greatly depending on the size and complexity of the software being developed, as well as the skill level of the developers working on it. 

However, it is generally accepted that debugging and code fixing can be a significant part of the software development process, and that it is important to allocate adequate time and resources for this task. 

Some studies have estimated that debugging and code fixing can account for as much as 50% or more of the total time spent on software development, but this can vary depending on the specific project.

Examples of programming error in history

  • Y2K bug: In the late 1990s, many computer systems used two-digit years, which led to the potential for a “Y2K” bug when the year 2000 arrived. The bug was caused by the assumption that the year 2000 would be represented by “00,” which could lead to errors in software that relied on date calculations.
  • The Ariane 5 rocket explosion: In 1996, the European Space Agency’s Ariane 5 rocket exploded just after takeoff due to a global programming error. The error was caused by an overflow in a software routine that converted a 64-bit floating-point number to a 16-bit signed integer.
  • The Therac-25 radiation overdose: In the 1980s, a global programming error in the software for the Therac-25 radiation therapy machine led to several patients receiving dangerous overdoses of radiation. The error was caused by a race condition in the software that allowed the machine to deliver multiple doses of radiation without waiting for the previous dose to be completed.
  • The Patriot missile failure: In 1991, during the Gulf War, a global programming error in the software for the Patriot missile defense system led to the failure of several missiles to intercept incoming Iraqi Scud missiles. The error was caused by a bug in the software that caused the missiles to lose track of their targets and self-destruct.

 

Since 2000, there have been many examples of programming bugs that have had significant consequences. Some examples include:

  • The Heartbleed bug: In 2014, a programming bug was discovered in the widely-used OpenSSL software library. The bug, known as the Heartbleed bug, allowed attackers to access sensitive information, such as passwords and encryption keys, from affected systems.
  • The Windows Metafile vulnerability: In 2017, a programming bug was discovered in the Windows operating system that allowed attackers to take control of a computer by sending a maliciously-crafted image file.
  • The Apple “goto fail” bug: In 2014, a programming bug was discovered in Apple’s iOS and OS X operating systems that allowed attackers to intercept encrypted communications. The bug, known as the “goto fail” bug, was caused by a misplaced “goto” statement in the code.
  • The Intel CPU security flaw: In 2018, a programming bug was discovered in the microcode of Intel CPUs that allowed attackers to access sensitive information from affected systems. The bug, known as the Meltdown and Spectre vulnerabilities, affected nearly all Intel CPUs produced since 1995

The huge power failure in the North American Northeast on August 14th, 2003 was caused by a programming error in the software for a power transmission system. The error caused the system to automatically shut down a critical power line in Ohio, which triggered a cascading failure of the power grid that affected an estimated 50 million people in the United States and Canada. The programming error was caused by a bug in the software that caused it to misinterpret data from a sensor on the power line. The error went undetected during testing, and the software was deployed without being properly fixed. The power failure caused widespread disruption, including blackouts, traffic gridlock, and the shutdown of businesses and public services. It was one of the largest power failures in history.

Techniques for uncovering bugs

  1. DAST – Dynamic Application Security Testing is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.
  2. IAST – Interactive Application Security Testing helps organizations identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing techniques. IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs. IAST solutions instrument applications by deploying agents and sensors in running applications and continuously analyzing all application interactions initiated by manual tests, automated tests, or a combination of both to identify vulnerabilities in real time.
  3. RASP stands for Runtime Application Self-Protection is designed to protect applications from attacks by detecting and blocking malicious activity in real time. RASP works by inserting a monitoring agent into the application’s runtime environment, where it can monitor the application’s behavior and detect any attempts to exploit security vulnerabilities. When a potential attack is detected, the RASP agent can take a number of actions to block the attack and protect the application, such as blocking the request, logging the attack, or alerting security personnel. RASP is considered to be an effective security tool because it can provide protection without requiring any changes to the application’s code.
  4. SAST stands for Static Application Security Testing is a frequently used Application Security tool, which scans an application’s source, binary, or byte code. A white-box testing tool identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. SAST solutions analyze an application from the “inside out” and don’t read a running system to perform a scan. SAST reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during development. It helps educate developers about security while they work, providing them with real-time access to recommendations and line-of-code navigation, which allows for faster vulnerability discovery and collaborative auditing. This enables developers to create more code that is less vulnerable to compromise, which leads to a more secure application.

How to make the right choice?

Every testing method serves a different purpose, and so they should be skillfully employed at a specific time. If you want to protect the very core of your business, experts from Curiosity AI will help you navigate all the aspects for both the development process and operation of your business. 

Resources

  1. https://www.openrefactory.com/intelligent-code-repair-icr/
  2. https://www.softwaretestinghelp.com/types-of-software-errors/
  3. https://www.ptsecurity.com/ww-en/analytics/knowledge-base/sast-dast-iast-and-rasp-how-to-choose/
  4. https://www.microfocus.com/en-us/home
  5. https://www.synopsys.com/glossary/what-is-iast.html
  6. https://coralogix.com/blog/this-is-what-your-developers-are-doing-75-of-the-time-and-this-is-the-cost-you-pay/ 

 

Also, for redacting this article we use the help of GPT chat 🙂

 

Join Our Newsletter

Reducing waste through automation!
We design and implement custom software solution helping forward thinking customers automate vital operational and production processes in order to increase productivity and achieve exponential growth.
Together with our customers/partners we also try to identify how to maximise the value of operational data through artificial intelligence implementations.

10 + 5 =