The hidden costs of duct tape software
Last summer, a large tech disruption hit airports and hospitals, all because of a faulty update to a cybersecurity program that crashed Windows. On the occasion of October cybersecurity month, Professor of Software Engineering Paris Avgeriou talks about the cost of hidden problems with major consequences. Avgeriou collaborates with companies to detect such problems and to limit their impact.
FSE Science Newsroom | Text Charlotte Vlek | Images Leoni von Ristok
More often than not, software engineers use duct tape solutions
‘Imagine you’re building a car,’ Avgeriou illustrates. ‘You’ve worked out a design, and you’re now constructing a prototype. Then you discover that two parts of the engine do not quite fit together. The right thing to do then is to go back to the drawing board and redesign them. But that’s not what you do because you’re out of time; instead, you use duct tape to hold the two pieces together. And it works! At least, no one will notice unless they look under the hood. And you think to yourself: later, I’ll go back and fix this.’
‘More often than not, software engineers use duct tape solutions,’ Avgeriou says. ‘You’d be surprised. Obviously, every software engineer wants to deliver high quality, but often, companies are under enormous business pressure to release software quickly, and this means that sub-optimal choices need to be made.’ And before you know it, the intention to go back and fix things later on is forgotten.
For instance, the update that shut down airports and hospitals would have been resolved in time if Windows had had a built-in mechanism to detect faults in the so-called kernel, the central part of the operating system. ‘Then, the solution could have been very simple: stop the faulty software and revert the update. But building such a system is a major change, as it would involve correcting a sub-optimal choice from decades ago,’ Avgeriou explains.
Debt and interest
Technical debt is what the software world calls the hidden costs of these sub-optimal choices. Once you’ve started using figurative duct tape to fix problems, making further changes becomes increasingly difficult, so you add even more duct tape. The cost of repairing this at a later stage increases, much like interest paid over a debt.
The largest cyber security vulnerability ever was caused by a small piece of open-source software: Log4j. Avgeriou: ‘It’s a software library that logs data while a program is running. That’s useful when a program crashes, for instance, so you can look back and see what happened. More than ninety percent of all web services used Log4j when a security vulnerability was discovered in 2021.’
That would mean that all these web services built on Log4j were at risk of being hacked, with service disruption and data being stolen. ‘Luckily, the problem was quickly resolved,’ Avgeriou says, ‘but have all these services that depend on it also updated their software?’
‘Updating third-party software requires effort but has lower priority than developing new features, so companies postpone it. So, it is also a kind of technical debt that bears the additional risk of security vulnerabilities,’ Avgeriou explains. By emphasizing not only the costs of technical debt in terms of euros but also the risk of cyber-attacks, he hopes to motivate companies to really take action.
The term technical debt has existed since 1992, but only about fifteen years ago did the research field really lift off. Avgeriou: ‘That has everything to do with software that became increasingly larger and more complex. The problem of technical debt is invisible to end users but has become a huge dark cloud for CEOs and CTOs.’ Avgeriou plays an important role in shaping the international research field. He often conducts his own research in collaboration with companies: he identifies the duct tape in their computer systems, estimates the costs of fixing it, and helps to prioritize what needs fixing first based on how much interest is being paid.
Looking under the hood
Avgeriou’s research group has developed several tools that can detect when something is not in order underneath the hood of the figurative car. For instance, software tool Arcan can identify and measure technical debt at the architecture level, which is the most expensive type. The PhD student who developed this tool has since obtained his PhD and currently runs a spin off company, also called Arcan.
And it’s about actual money: the costs that you actually need to pay if you want to repair your software at a later stage
‘While software developers understand that the system is messy, they are most often ignored by their managers. But as soon as you tell managers that there is a million euros of debt hidden in the system, they will listen. And it’s about actual money,’ Avgeriou emphasizes: ‘the costs that you actually need to pay if you want to repair your software at a later stage.’ Or the costs of a shutdown like that of last summer.
Avgeriou and his team help companies to determine which problems really need attention first. ‘Sometimes you can leave some duct tape,’ he explains, ‘as long as it doesn’t keep growing.’ In particular he often works with high-tech industry in the northern Netherlands, in his new role as director of the Engineering Doctorate Autonomous Systems. Avgeriou: ‘Look, you can sit in your office and come up with problems, but my passion is to work together with companies and help them fix their problems.’ Would he like to work with the Tax Administration (Belastingdienst)? ‘Yes, very much. I bet they have some interesting technical debt in their decades-old software.’
Last modified: | 10 October 2024 11.10 a.m. |
More news
-
08 November 2024
Two 6.7 million grants for FSE researchers from Dutch Research Agenda
Researchers of the Faculty of Science and Engineering have been awarded two large NWO grants for global biodiversity restoration and research into the origin of life.
-
05 November 2024
Five million ERC Synergy Grant for synthetic cell research
Professor Bert Poolman, together with Prof. Petra Schwille, receives an ERC Synergy grant of five million euros for synthetic cell research.
-
28 October 2024
CogniGron: A revolution in future-proof computing
In this first article of the two-part CogniGron series, Beatriz Noheda, Niels Taatgen, and Erika Covi tell us about drawing inspiration from the human brain to make smart devices even smarter.