Call 1-800-731-0046

Computers: Application Code Inspections: The Good, the Bad, and the Ugly

(Mon Oct 29th, 2007, by Claudio LoCicero, M.S.)

Why is it that after much discussion over many years are we still talking about software vendors putting to market applications that are plainly not ready for prime time? Applications with numerous bugs, undocumented quirks, and security holes are being developed and sold everyday by large software companies and independent application developer alike. Is it that code inspections are not widely implemented or that the testing performed is not comprehensive enough? What is code inspection and how does a software vendor's management along with human nature interact together to play a role in this problem?

Code inspection is a very in-depth review of code that puts a group of people together to go through the logic of each line of code in an application. The first problem that comes to mind is that applications can range from a few lines of code to several million and it becomes apparent that the task of code inspection could be a very long, tedious, and demanding ordeal for those involved in the review. This brings me to the next point of discussing who would be involved in the review. One group involved would be the developers of the application and there will be several others involved that are either programmers themselves and/or are professional application testers. From the perspective of the application developers, this process could have the look and feel of an inquisition and they may not be too forthcoming during the process. In the event that all those involved are cordial, professional, and the application developers do not take offence easily to close inspection of their work, then the process should run smoothly.

Code inspection by these teams can normally be performed at a rate of about 150 lines of code per hour and if my math is correct, a medium sized application with 99,000 lines of code would take approximately 660 hours to complete or over 82 eight hour days. Of course, breaking the task into multiple blocks for several teams to work on would reduce the timeline but may not be advantageous because the benefit of continuity and cumulative knowledge gained by reviewing the application from start to finish, which contributes to better inspections, would be lost. Then there is the issue of it being almost humanly impossible to spend an entire 8 hour work day reviewing code, therefore a more realistic amount of time per day to review code is 5 hours, which would increase the overall timeline for completion, in this example, to almost four and a half months.

Unfortunately, management of many software companies don't fund such an in-depth review process and may permit only a cursory inspection then adapt a stance that it will develop patches if and when errors are reported by consumers. Software developers that create applications that control medical and safety equipment do not normally take this approach, but there have been cases (the Therac-25 radiotherapy machine comes to mind) where complete inspections and testing were not performed and lives were lost.

Customers normally, and understandably, believe that they have a fiduciary relationship between them and the companies that sell them products. This human nature of trust extends to software developers where they believe that the vendor has done its due diligence to ensure that the application is free from defect and that they are purchasing a quality product. We know that this is not always the case, particularly when you read the licensing agreements...yes, the licensing agreement. That is the text you first see when installing an application and completely explains the rights afforded to the consumer and the rights afforded to the vendor. Clicking the "I Understand" box and then clicking on "Next" without reading it, as most people do, will prevent the customer from realizing that usage, or merely the installation, of the application signifies full acceptance of the terms which invariably has a provision that indemnifies the application developers or the software company from any liability stemming from the usage of the product.

Perhaps the solution to this seemingly age old problem is the introduction of legislation requiring the elimination of such clauses from licensing agreements which may, eventually, become the catalyst in the development of defect free software.

About the Author

Written by Claudio LoCicero, M.S.

Over his career he has held several technical and management positions both in the United States and overseas within the private and government sectors. Claudio LoCicero holds a Master of Science in Information Technology with an Information Security Specialization. He also holds numerous professional certifications such as the PMP, CISM, CISSP, ITILF, along with several certifications from Cisco, Microsoft, and the NSA.