Three Vulnerabilities We’ve Learned from Heartbleed

The Heartbleed bug. The name, evocative as it may be, still doesn’t capture the enormity of why the online security world is on fire this week. The front door to two-thirds of all websites on the Internet has been left unlocked. It’s the sort of thing that has everyone from the world’s biggest cloud computing providers and web search portals, to bitcoin exchanges and algorithmic investing platforms, all frantically working long hours to change their locks.

How did this all happen? Malicious foreign cybercriminals? Mischievous black-hat hackers? Privacy-busting NSA spooks?

Nope. A simple programming goof. Here are details, for the code-savvy.

That’s right – similar to the GoToFail problem that waylaid Apple a month ago – all it takes is one bad copy-and-paste and suddenly a small coding error can trickle through a system.

This all goes back to one of the points that Pega’s founder, Alan Trefler, emphasized in his recent interview with CNET:

"We haven't changed from the way software was getting built 50 years ago," said Trefler. "Systems are being built today that are the antithesis of the way other industries do it. If you were building a 787 or a vase, you would use CAD. But with most software, there's no model in the heart of software systems. It's all just coded around artifacts that got spread among hundreds of classes that are archaic."

We can’t end all bugs in software. But it’s amazing how much of the world’s software relies on the constant vigilance of programming teams to stitch together code artifacts. That leads to three vulnerabilities:

 

1. Maintaining multiple versions of applications;

2. Cascading complex logic properly through all branches of code;

3. Desperately trying to keep up with changing requirements without breaking everything.

 

If major flaws like Heartbleed and GoToFail can exist in the wild for years, with hundreds of thousands of programmer eyes on them, how are today’s heavily burdened IT teams able to keep their own homegrown applications up to speed?

To fight these vulnerabilities, the world could really benefit from a CAD for programming. Then we could talk in terms of business models. Those models could then generate fully functioning applications without a single line of code. And, we could adapt and improve those solutions—without the dangers of manual coding – as our businesses grow. There is a better way.