Prior to Sir Joseph Lister’s research and advocation of clean surgeries, surgical culture was embodied by: “Surgeons of the time referred to the ‘good old surgical stink’ and took pride in the accumulated stains on their unwashed operating gowns as a display of their experience.”
Even today’s Neonatal Intensive Care Units require visitors to scrub upon entry. No exceptions are allowed, even if you scrubbed yesterday. Scrubbing shall occur on entry – every – single – time.
Guess what; this takes time & money! And it’s a proven technique that ensures patient survival and long-term success. But then, these are dedicated, committed professionals to ensuring success.
Are there antiseptic coding practices that can be employed? First of all, consider the definition of “septic” – infected with bacteria. The key is ‘infected’. There’s good bacteria & not-so-good bacteria. The same can be stated for processes, code & cultures.
One can posit that without a culture of constantly improving software development, secure code is a fantasy. In other words, prior to the world of surgery came to adapt sterile techniques, people just died over and over. Many security vulnerabilities can be traced back to sloppy work. Consider this list of simple, low-cost techniques that can improve code quality & security:
1. Compiler warnings are free. And helpful. And automated. A culture that strives to eliminate warnings has an incredible safety net in that as soon as a new warning occurs, it is very prominent! Consider this the most rudimentary static analysis tool.
2. Elimination of duplicated code. Once a defect is identified, fixing it once and for all makes sense. If eliminating the duplication is an insurmountable challenge, you have very big problems beyond just code.
3. Training is essential. Secure coding instruction is becoming popular. A significant population of software developers don’t have the slightest idea of what constitutes secure coding practices. Security should be designed into the code, not patched on as an afterthought.
4. Ensure your team has a professional culture that demands quality software. Consider the hiring of a plumber that leaves behind a dripping faucet; he cannot pass this off as the customer having exceedingly high expectations. Do you expect your IRA software to be high quality? Medical imaging software to be high quality? Gasoline pump credit card software to charge correctly? Perhaps one needs to consider bugs as ‘good old surgical stink’…
This is just a starting point, time to get moving!