Failing the test
I read with great interest your feature on the UK’s 10 worst web application failures (Information Age, May 2003), but was unsurprised to see that poor and insufficient testing was a significant causal factor in a number of the examples. Unfortunately the nature of systems failures like these is not confined to the web, but is prevalent across a number of industries.
At LogicaCMG we recently conducted qualitative research into project testing, interviewing over 70 senior IT and operations personnel within the government, financial and telecoms sectors. The alarming conclusion was that over two-thirds of systems failures are caused by upgrades, yet only 11% of upgrade projects are thoroughly tested.
Half of the respondents questioned were aware that insufficient internal resources were directed towards testing, with 63% stating that they believed outsourced testing would improve the quality of software releases. Despite this awareness, 50% still saw outsourced testing as too expensive and consequently only 33% outsource testing at all.
Considering the critical importance of IT systems in providing key internal and customer services within businesses, it is disappointing to see that a lack of investment in the initial development and implementation stages of a project so often leads to catastrophic and reputation-damaging failures further down the line. What’s worse is that so many decision makers recognise the issues, but feel unable to take steps to avoid them.
The combined cost of rectifying such failures and the immeasurable cost of damage to a business’ reputation clearly exceed any benefit gained in pushing testing down the priority schedule during the strategy process.
More attention needs to be paid to the delicate process of integrating systems in the first place, especially as reliance on them continues to grow.
LogicaCMG Outsourcing Services
Staying in the middle
‘Down and Out’ (Information Age, April 2003) provided good insight into the current state of the enterprise market. Today, customers want corporate assurances before they even begin to look at the technology. As a result, the enterprise software market will increase its focus on viable vendors.
When Larry Ellison says consolidation will focus on IBM, SAP, Microsoft, and needless to say, Oracle, he is talking about the enterprise and he’s probably correct, but what about the mid-market? You cannot automatically assume that experience and success at the top end of the market will translate to the mid-market. The typical application required by an enterprise is accompanied by a weighty price tag and lengthy implementation timeframe, which requires significant in-house IT resources. The mid-market plays to different business rules, which should be recognised. The current economy and conditions in the IT industry are driving customers towards a smaller number of suppliers, but that doesn’t mean mid-market organisations will select products not architected to meet their needs. Larry Ellison would have you believe that his products meet the needs of mid-market organisations but that is because he needs a new revenue stream.
Companies with revenues of between $50 million and $1 billion represent our sweet spot. We are an enterprise class software provider that understands the particular requirements of mid-market organisations and we are here to stay.
Managing director, UK
The ‘C’ factor
I read your article Security from scratch (Information Age, March 2003) and disagree with Professor Ross Anderson when he suggests ‘what is important is the rate at which bug fixes are produced and applied’. I believe that it is much better to prevent bugs and flaws occurring in the first place.
Attacks on supposedly secure IT systems can come in many different forms and many are due to bugs. Some are hard to anticipate, others are easy to anticipate and to guard against. The buffer overflow is one of the most common attacks and is not uncommon for Microsoft. This is an entirely predictable attack, and systems can be designed to be 100% secure against buffer overflow attacks.
Insecure coding can be the fault of modern programming languages such as C where it is less easy to guard against buffer overflow. This is the most widely used programming language for systems software today, despite dating back to the early 70s. If buffer overflow does occur in C, it is not detected unless the programmer has written an explicit check.
In contrast, other languages such as Java and Ada detect an attempted overflow immediately and raise an exception. This mitigates the problem slightly by turning what would otherwise be a security vulnerability into a denial-of-service vulnerability. However, to avoid problems completely, these types of attacks should be prevented in the first place.
The solution is to move away from low-level languages like C to languages that are designed for safety and ease of analysis as much as for programmer convenience. When programs are developed in such languages, it is possible to prove that buffer overflow cannot occur, no matter what the input.
The analysis I refer to is automated formal analysis, i.e. using a computer to predict exactly what the program will do. Apart from showing that a program is resistant to buffer overflow and some other attacks, it can also be used to show that the program meets its specifications. The result is a much higher quality of software. Formal analysis can also be used to verify other aspects of security, for example the security of cryptographic protocols.
Even Microsoft is showing interest in the ways of using formal analysis to improve IT system security, having recently sponsored a conference, which was devoted to preventing security vulnerabilities.
Dr David Crocker
In our recent Business Briefing, ‘New frontiers in business applications’, we incorrectly identified Sage as the world’s 10th largest mid-market business applications software company. In fact, the company’s revenue growth of 14% in 2002, to £551.7 million ($864.5m), makes it the world’s fifth largest mid-market applications vendor – almost double the size of its nearest rival, Microsoft Business Solutions.