In the beginning of this year we were pleased to read: the number of worldwide documented software-deficits went down in 2016 compared to 2015: from 6,400 to 5,600, more than 10% minus! The source was the Hasso-Plattner-Institut in Potsdam near Berlin, Germany.
One month later it seems that some more bugs have been reported and hence the decrease turned into a little increase by then. (yellow = little deficits, red = severe deficits). Too bad.
Software-deficits reported by Hasso-Plattner-Institut on 02-18 / 17
Poor quality anyway
However: Some 100 vulnerablity-deficits more or less seem not so important to me. What really counts is the absolute number of them: 6,500!
The red part of the column display the number of severe deficits – nearly 2,500!
If we’d talk about cars, in these models the breaks wouldn’t work or the steering would block. Thousands of fridges would defrost over night and many nuclear plants would emit much too much radiation. Why is that not the case? These are technologies with a zero-bug-philosophy. Zero-bug is the standard-orientation for any educated engeneer.
But not in the software business. Since more than 30 years we have gotten used to the fact that software-development is a multi-bug-technology. Explicitely and unscrupulously. The patch- and bug-fixing-plans are even part of the marketing-strategy.
It is true: cars, fridges and even nucear plants have problems once in a while. We know product recalls and we know Tschnernobyl and Harrisburg. No fun at all for the management. But: they did not plan it that way!
For software-developers the green banana is the standard business case.
And it’s true too: One reason for this situation is the enormous price-pressure in the IT-business, and in the end that means: we ourselves are responsible. But are we truely more generous and less parsimonious when buying a car or a fridge?
The underlying metric of the statistics above is the CVSS-Index. It measures only vulnerability, “hackability” in a way. The mere functionality (does it what it shall do?) is not concerned. We probaply could double all numbers here if we were to evaluate the deficits in the understanding of some “holistic quality”.
The true reason
I believe the reason behind this absurd situation is that we do not have any official licensing-process for software. Anybody can claim to be a developer and sell his software-products. Thinking of our faster and faster growing dependency of digital environment, this is really wantonly negligant. But which semi-official institution is daring to put up with such a challenging task?
The difficult Germans are not known as first line fans of the digital world. They have been for long and still are quality-fans. The multi-deficit-culture of the software industry surely is one of the reasons for the German’s reserve.