Mike Bland

Fingers Crossed

Turns out I couldn't let the Apple SSL bug go quite yet, as I've submitted an article to Communications of the ACM for consideration

- Boston
Tags: ACM, Apple, AutoTest Central, Google, Meetup, Test Certified, Test Mercenaries, Testing Grouplet, TotT, goto fail, grouplets, programming

The Apple SSL bug slide deck and TotT-inspired treatment inspired a draft of a complete Apple SSL bug article. I’ve reserved copyright on the article because I’ve submitted it for consideration to Communications of the ACM, the flagship journal of the Association for Computing Machinery. An excerpt from my cover letter:

Dear Communications of the ACM Editorial Staff:

As per the Author Guidelines, I am submitting my article “Finding More than One Worm in the Apple” for consideration as a Contributed Article in the Communications of the ACM. The central theme is how unit testing specifically could have prevented Apple’s recent SSL/TLS security flaw. In doing so, I reveal how the flaw is indicative of deeper technical and cultural problems than a single programmer’s moment of error, and argue against several published theories of how the error was caused and, in some interpretations, excusable.

The article discusses issues pertaining to several aspects of the computing field as seen through the lens of code quality and automated testing. These include: specific coding problems and techniques for addressing them; the downstream impact of preventable errors, specifically security-related errors; the benefit of a multi-tiered software testing strategy; and the influence of engineering culture on individual habits and software defects. Such issues bear relevance to the day-to-day reality of the practicing Communications reader who is responsible for: writing code; managing a development team; quality assurance; setting standards within a development culture; or teaching upcoming generations of software practitioners. I believe it is important to raise the level of discussion around this flaw to counter the resigned and permissive tone of many existing, high-profile analyses, and to put the impact of code quality and engineering culture squarely into focus. I also mention my past experience helping change the engineering culture at Google as a potential model for how to address the larger cultural issues.

The implication in the last post that I was finished with this issue? I lied. Wish me luck.