Super Patch Tuesday highlights limits of program code debugging
October 2009 by
With no less than 34 security vulnerabilities - eight of them potentially serious - having been solved in the latest `super’ Patch Tuesday by Microsoft, this proves we are reaching the limits of the Software Development Life Cycle (SDLC) planning process, says Imperva, the data security specialist.
"Even with the resources that it has, if Microsoft has to issue this many patches for its security updates - breaking the record set back in June - then it’s obvious that the Software Development Life Cycle (SDLC), while important, is imperfect," said Amichai Shulman,
"The fact that Microsoft has broken its own Patch Tuesday record suggests that the software giant has reached the inherent limits of real world software debugging processes," he added.
According to Shulman, the law of big numbers - when applied to the lines of program code in a major application - gives us a non-zero prediction as to the number of software flaws per 1,000 lines of program code.
What this means, he says, is that no matter how much quality assurance you throw at the SDLC process, there is a limit to the effect you can have on the quality of the software application.
And, he explained, what has happened to Microsoft is likely to start happening to other software vendors, as more complex applications are released.
“The prudent use of an SDLC can improve the quality of software, and the security of the information its processing,” explained Shulman. "But the threat landscape is extremely dynamic. Companies must have defensive technologies in place to combat immediate threats that SDLCs simply can’t cover.”