'&$%CSE 303:Concepts and Tools for Software DevelopmentHal PerkinsWinter 2009Lecture S3— Societal Implications: Software Quality, Licensing,Defect Disclosure, . . .CSE 303 Winter 2009, Lecture S3 1'&$%The Big QuestionsIs software any good? Could society make it better?Who should be allowed to w rite software? Is “real” software different?What responsiblity do software w riters, users, and selle rs have?Should you be able to restrict software’s use? How?When a critical defect is discovered, who bears responsibility forrevealing or fixing it?CSE 303 Winter 2009, Lecture S3 2'&$%Quality Issues“Kinds” of software??• Mission-critical: nuclear-missile, hospital equipment, air-trafficcontrol, . . .• Business-critical: Online retailer, stock market, your database, . . .• Computer-critical: operating system, browser, . . .• Get what you pay for: freeware, CSE homework, . . .How do we know what is what?CSE 303 Winter 2009, Lecture S3 3'&$%Bug Issues• How often is it triggered?• Can an adversary make it trigger?• What damage does it do?• What is a complex piece of software supposed to do?Contrast with cars, buildings, etc.?CSE 303 Winter 2009, Lecture S3 4'&$%Software Re lease CycleStandard industry practice for large projects• Prioritize bugs (P1 (blockers), P2, P3, . . . )• Freeze features and non-essential changes as release approaches• Release when code is “ok” (no more P1 bugs, or no m ore thann P1 or P2 bugs, or . . . ); release might or might not be tied tothe calendarUsed by many open-source projec ts as well as com me rcial andin-house.When is a software release “done”? Is it even meaningful to talk aboutwhether software is “finished” or “ready”?• Many “agile” projects use frequent, increme ntal releases . Better?CSE 303 Winter 2009, Lecture S3 5'&$%Who is to blame?• A writes some C code that has an array-bounds error in it thatcan be triggered if a function is called with certain arguments.• B uses A’s code to develop an application such as a web browser.• C uses the web browser B develops.• D sets up a website that C visits. The contents of the websitetrigger the array-bounds error.• As a result of the error, C’s computer connects to E’s computerand deletes all the files there.• F knew about the error but didn’t tell anybody, in fact hadnothing to do with writing the code.CSE 303 Winter 2009, Lecture S3 6'&$%ProgrammersWould software be better if “public” code required licensedprogrammers?Is a “software e ngineer” a real engineer?Who would do the lice nsing?What would you test?Who would you blame?Would you still allow “as is ” code?Would anyone use software that cost more?CSE 303 Winter 2009, Lecture S3 7'&$%Software Li cens esWhat can a software provider require a user to do/not-do/allow?Can a software provider declaim liability in a shrink-wrap lice nse? Doesthe user have any recourse if something does go wrong?What about software-library writers?Is open-source software more sec ure? Less secure? A lost-in-the-noisefeature?CSE 303 Winter 2009, Lecture S3 8'&$%Business ConcernsIf you’re a business, how high-quality do you want your software?Worth delaying the product?Worth slowing down the product?Worth having fewer features?Worth charging more?How do you feel as a customer? Can you determine quality?CSE 303 Winter 2009, Lecture S3 9'&$%When Something Goes WrongIf a security-flaw is discovered:• Should we have laws forbidding publicity?• Should we have laws mandating publicity?• Should we require patching? Penalties for violation? What aboutold/ancient software (Windows 95/98, MS-DOS, Classic Mac OS,Netscape browsers)?• Is actively finding flaws good/bad/depends-what-you-do-with-it?• Viruses that fix viruses?Relevant issues: obscurity vs. se curity, malice vs. negligence, . . .CSE 303 Winter 2009, Lecture S3 10'&$%The PlanChoose 1 of 5 groups (bug pragmatics, people-licensing,software-lice nsing, business-cust omer perspective, re vealing/fixingsecurity bugs).Choose 1 or 2 theses.Choose 2-4 arguments for each side.Report on the group’s conclusion from weighing the arguments.Participate!CSE 303 Winter 2009, Lecture S3
View Full Document