[SystemSafety] OpenSSL Bug
Tom Ferrell
tom at faaconsulting.com
Thu Apr 10 23:24:17 CEST 2014
I was onboard with the last post right up until the very last sentence:
" In fact, a consultant friend of mine recommends we don't even call
them "defects". He says, "Call them what they really are: programmer
malpractice".
For a great deal of software where all that matters is time to market,
such a view might have some traction. However, I would argue that
seldom is a single programmer to blame, but rather a management
structure who cares only about schedule and cost, and a broader industry
that rewards time to market with massive ROI. In many cases, this ROI
would trump all but the biggest legal settlements. I do agree that
initiatives like the SWEBOK help as to certification programs for
software professionals in general. These do not, however, get to the
heart of the cultural problems and what seems to be an ever increasing
erosion of basic engineering ethics. Overall this community needs to do
a better job of communicating the societal impact of poor practices
throughout the software engineering discipline.
On a different, but related note: the aerospace community has a long
history of allowing people to come forward with problems so that they
can be solved. This framework depends heavily on a system of anonymity
and non-retribution. Creating a fora for software professionals to
report on breakdowns in software engineering processes would be
difficult but would seem to be worth pursuing.
More information about the systemsafety
mailing list