Re: Software Liability

Re: Software Liability

[Robert C. Leif]

From: Bob Leif
To: All
The following is from Reuters. Please see the last sentence. 
--------------------------------------------------------------
Software Errors Cost Billions 
Fri Jun 28, 6:12 PM ET 

NEW YORK (Reuters) - Software bugs are not just annoying or
inconvenient. They're expensive. 

  
According to a study by the U.S. Department of Commerce's National
Institute of Standards and Technology (NIST), the bugs and glitches cost
the U.S. economy about $59.5 billion a year. 

"The impact of software errors is enormous because virtually every
business in the United States now depends on software for the
development, production, distribution, and after-sales support of
products and services," NIST Director Arden Bement said in a statement
on Friday. 

Software users contribute about half the problem, while developers and
vendors are to blame for the rest, the study said. The study also found
that better testing could expose the bugs and remove bugs at the early
development stage could reduce about $22.2 billion of the cost. 

"Currently, over half of all errors are not found until 'downstream' in
the development process or during post-sale software use," the study
said. 

The study, conducted by the Research Triangle Institute in North
Carolina and the software industry was conducted to identify and assess
technical needs to improve software-testing capabilities. 

Software is error-ridden, in part because of the complexity inherent in
millions of lines of code. About 80 percent of the cost of developing
software programs goes to identifying and correcting defects. Yet, few
products of any type other than software are shipped with such high
levels of errors, the study found. 

Other factors contributing the problem include marketing strategies,
limited liability by software vendors, and decreasing returns on testing
and debugging, according to the study. 

In January, the National Academy of Sciences ( news - web sites) issued
a report urging lawmakers to consider adopting legislation to hold
software vendors liable for security breaches. 

If software makers were held liable, the cost to consumers would rise
dramatically, said Marc E. Brown, a partner at the Los Angeles law firm
of McDermott, Will & Emery. 

However, Europe already has begun addressing the issue. 

A Dutch judge in September convicted Exact Holding of malpractice for
selling buggy software, rejecting the argument that early versions of
software are traditionally unstable. 

Re: Software Liability

[W D Tate]

"Robert C. Leif" <rleif@rleif.com> wrote in message news:<mailman.1025321584.15163.comp.lang.ada@ada.eu.org>...

[snip]
> 
> NEW YORK (Reuters) - Software bugs are not just annoying or
> inconvenient. They're expensive. 
> According to a study by the U.S. Department of Commerce's National
> Institute of Standards and Technology (NIST), the bugs and glitches cost
> the U.S. economy about $59.5 billion a year. 
[snip] 
> If software makers were held liable, the cost to consumers would rise
> dramatically, said Marc E. Brown, a partner at the Los Angeles law firm
> of McDermott, Will & Emery. 
>
This is the same apocalyptic argument that industry made wrt complying
with environmental regulations in the U.S.  History, however,
demonstrated that these regulations compelled corporations to find new
efficiencies, eliminate wastestreams &/or inefficient operations which
ultimately led to lower costs and, in some instances, a competitive
advantage.

What this attorney appears to be suggesting (implicitly) is that
companies enjoy lower costs (i.e., life-cycle) for pushing out poorly
designed & implemented software. IMO many companies don't have a first
clue as to what their "real" costs would be if they were to
design/implement software that held up after n-generations.

Examples...
A well-established commercial numerical analysis package has had
numerous "math" related bugs introduced with each subsequent release -
bugs that did not exist in prior versions that performed the same
mathematical operations.  Its gotten to the point that Jack Crenshaw,
PhD,(www.embedded.com) has strongly recommended using a version of
this software at least 3 to 4 versions earlier. I would be a bit
concerned if my "cadillac" product were exhibiting these kinds of
persistent problems with every new release.

In a company I used to work for the entire codebase was written in
C++.  After many years, it had reached a point where only 1 or 2
individuals were permitted to "touch" the "core" for fear of breaking
something.  Mind you this is a company that is #1 in its market (sales
~ $200-300 million/year), serves an industry where security is a
"really big deal" and "bugs" cost their end-users "real" money.  This
company has always had a structured software development process.  In
2001, this same company was forced to do a complete re-write of the
codebase in order to achieve a "maintainable" state.

In either case, its difficult to imagine how one can separate the
life-cycle issue (and its associated costs) from the potential
"liability" issue.

So if we talk about costs, let's compare apples and apples please.

RE: Software Liability

[Robert C. Leif]

From: Bob Leif
To: W D Tate et al.
I e-mailed Mr. Brown that, in light of Ada and associated software
engineering technology, his argument was fallacious. 

-----Original Message-----
From: comp.lang.ada-admin@ada.eu.org
[mailto:comp.lang.ada-admin@ada.eu.org] On Behalf Of W D Tate
Sent: Tuesday, July 02, 2002 5:54 AM
To: comp.lang.ada@ada.eu.org
Subject: Re: Software Liability

"Robert C. Leif" <rleif@rleif.com> wrote in message
news:<mailman.1025321584.15163.comp.lang.ada@ada.eu.org>...

[snip]
> 
> NEW YORK (Reuters) - Software bugs are not just annoying or
> inconvenient. They're expensive. 
> According to a study by the U.S. Department of Commerce's National
> Institute of Standards and Technology (NIST), the bugs and glitches
cost
> the U.S. economy about $59.5 billion a year. 
[snip] 
> If software makers were held liable, the cost to consumers would rise
> dramatically, said Marc E. Brown, a partner at the Los Angeles law
firm
> of McDermott, Will & Emery. 
>
This is the same apocalyptic argument that industry made wrt complying
with environmental regulations in the U.S.  History, however,
demonstrated that these regulations compelled corporations to find new
efficiencies, eliminate wastestreams &/or inefficient operations which
ultimately led to lower costs and, in some instances, a competitive
advantage.

What this attorney appears to be suggesting (implicitly) is that
companies enjoy lower costs (i.e., life-cycle) for pushing out poorly
designed & implemented software. IMO many companies don't have a first
clue as to what their "real" costs would be if they were to
design/implement software that held up after n-generations.

Examples...
A well-established commercial numerical analysis package has had
numerous "math" related bugs introduced with each subsequent release -
bugs that did not exist in prior versions that performed the same
mathematical operations.  Its gotten to the point that Jack Crenshaw,
PhD,(www.embedded.com) has strongly recommended using a version of
this software at least 3 to 4 versions earlier. I would be a bit
concerned if my "cadillac" product were exhibiting these kinds of
persistent problems with every new release.

In a company I used to work for the entire codebase was written in
C++.  After many years, it had reached a point where only 1 or 2
individuals were permitted to "touch" the "core" for fear of breaking
something.  Mind you this is a company that is #1 in its market (sales
~ $200-300 million/year), serves an industry where security is a
"really big deal" and "bugs" cost their end-users "real" money.  This
company has always had a structured software development process.  In
2001, this same company was forced to do a complete re-write of the
codebase in order to achieve a "maintainable" state.

In either case, its difficult to imagine how one can separate the
life-cycle issue (and its associated costs) from the potential
"liability" issue.

So if we talk about costs, let's compare apples and apples please.

Re: Software Liability

[Marin David Condic]

Well, not entirely. If software sellers were held liable, they'd have to
start carrying liability insurance and that would cost something. Even with
Ada technology, you're not guaranteed bug-free software, so there would
still be liability cases. Depending on the lawyers and courts and juries,
even the best engineered software could still be a source of liability.
(Witness doctors being sued for malpractice even if they are doing
everything by the numbers.)

Still, it would be interesting to see what exactly you said to him.

MDC
--
Marin David Condic
Senior Software Engineer
Pace Micro Technology Americas    www.pacemicro.com
Enabling the digital revolution
e-Mail:    marin.condic@pacemicro.com


"Robert C. Leif" <rleif@rleif.com> wrote in message
news:mailman.1025637182.8394.comp.lang.ada@ada.eu.org...
> From: Bob Leif
> To: W D Tate et al.
> I e-mailed Mr. Brown that, in light of Ada and associated software
> engineering technology, his argument was fallacious.
>

Re: Software Liability

[Darren New]

Marin David Condic wrote:
> Well, not entirely. If software sellers were held liable, they'd have to
> start carrying liability insurance and that would cost something. Even with
> Ada technology, you're not guaranteed bug-free software, so there would
> still be liability cases. Depending on the lawyers and courts and juries,
> even the best engineered software could still be a source of liability.

There are also several *other* problems with software. One is that software
has subroutines. If you want to do something three times, you only write it
once. The difference in complexity between a 25-storey office building and a
30-storey office building is nowhere near as great as between a 25KLOC
program and a 30KLOC program. 

Another other problem, of course, is the use of software in areas where it
was never designed to be used. Nobody buys a toaster and tries to use it for
welding. People who buy a commuter car and then sue because it wouldn't go
offroad up the side of a mountain are doing something that a jury will
obviously be able to say is unreasonable. Someone who buys MSAccess and
tries to do big databases needing lots of concurrent access might be able to
get away with suing over its inability to handle that. Indeed, there have
been cases where the program worked as documented, the user didn't read the
documentation, made a bid based on the calculations, and sued when it came
out wrong because he ran the software incorrectly. He lost because of the
disclaimer. Or, need I say, the Ariene V problem...

Software is also expected to change much more than anything else. Nobody
would wait till you're on storey 15 of a 30-storey office building, then ask
"How much would it cost to make the lobby two storeys high?"

-- 
Darren New 
San Diego, CA, USA (PST). Cryptokeys on demand.
** http://home.san.rr.com/dnew/DNResume.html **
** http://images.fbrtech.com/dnew/ **

 Proud to live in a country where "fashionable" 
     is denim, "stone-washed" faded, with rips.

Re: Software Liability

[Wes Groleau]

> has subroutines. If you want to do something three times, you only write it
> once. The difference in complexity between a 25-storey office building and a

Depends on who you are.  I remember once
shaking my head in disbelief while examining
a _single_ Ada file that contained three _different_
algorithms for removing leading and trailing blanks
from a string.

When the person who wrote it said to someone else
across the room, "Ada is an abomination" it was very
difficult to not turn around and say, "It certainly
is when you write it!"

-- 
Wes Groleau
http://freepages.rootsweb.com/~wgroleau

Re: Software Liability

[John R. Strohm]

One would hope that you had a friendly talk with him at the code review.

"Wes Groleau" <wesgroleau@despammed.com> wrote in message
news:3D25C26F.5BB9E9AE@despammed.com...
>
>
> > has subroutines. If you want to do something three times, you only write
it
> > once. The difference in complexity between a 25-storey office building
and a
>
> Depends on who you are.  I remember once
> shaking my head in disbelief while examining
> a _single_ Ada file that contained three _different_
> algorithms for removing leading and trailing blanks
> from a string.
>
> When the person who wrote it said to someone else
> across the room, "Ada is an abomination" it was very
> difficult to not turn around and say, "It certainly
> is when you write it!"
>
> --
> Wes Groleau
> http://freepages.rootsweb.com/~wgroleau

Re: Software Liability

[Marc A. Criley]

Wes Groleau wrote:
> 
> Depends on who you are.  I remember once
> shaking my head in disbelief while examining
> a _single_ Ada file that contained three _different_
> algorithms for removing leading and trailing blanks
> from a string.
> 
> When the person who wrote it said to someone else
> across the room, "Ada is an abomination" it was very
> difficult to not turn around and say, "It certainly
> is when you write it!"

As a result of a company reorg, the projects at a facility that was
closing were relocated and I was in the group that inherited one of them
as it completed its final development phase and went into initial system
test.  (Note also that virtually none of the original developers
relocated with the system.)

The system had severe functional problems and so the corporate systems
gurus were called in to find out what was wrong and what it would take
to fix it.  Amongst others, the now-current developers were interviewed,
and when asked, I was quite candid about the deficiencies of the
system's design and implementation.  One of the few original developers
that did relocate piped up and said, "Well, that's Ada for you." 
Without even thinking I shot back "It's not Ada, it's _poor_ design." 
And oh Lord it was.

Marc A. Criley