Comment on Do We Need a New Agency to Reveal Software Secrets? by Rich Marsh

I’m an old geek, who worked in software for more than 20 years. I was dealing with applications of all size, from a few dozen lines through those with millions of lines of code. (I worked for Big Blue and we wrote software that ran all aspects of telephone companies and later with firms that traded options and sales of energy.)

This is a nice idea – but the only one who could certify the code would be a software design architect who’d been involved with the project for years, and who knew what everything did. I remember one example where we found a literal in the code that ruled out the provisioning or assignment of a specific telephone number. We couldn’t find anyone who knew why, so we changed it. Bad decision. It turned out that number was used by field techs for testing purposes.

So, an agency would not be able to do that. How many lines and routines are in Windows 10? While at Compaq, I dealt with the initial versions of Windows, when it ran on top of DOS. (Yeah, I’m that old.) Even then, it was fairly thick code.

Instead, why not have the agency certify the architect? They could be bonded, and expected to certify that the code met certain criteria. The source could be stored (a common requirement in many contracts anyway), and the certification would go with it. Since most large apps have multiple architects, each would certify that portion of the source that is relevant to their coverage.

I think that’s a more workable solution.

Source: New feed