Code analysis company Veracode has gone on the record in an attempt to determine whether or not the holiday season, or indeed the preamble and run up to it, is a time when developers exhibit their most shoddy coding practices. While developer competitions, surveys, and magic quadrants have overloaded us with contrived comment on what makes good and bad development for many a month and year now, Veracode director Fergal Glynn says that his company sees the security quality of the thousands of applications it tests on a daily basis.
Looking to discover whether there is any seasonality in code security quality, Glynn decided to focus his analysis on applications in early stages of the development lifecycle. In other words, those applications that are actively in development, or undergoing alpha and beta testing stages.
"Early in the development process, I reasoned, there would be a relatively quick turnaround from when the code was written to when it was scanned. In other words, I'm assuming that during the early stages of a development project, code is written and scanned within the same calendar month. I looked at application size and a roll-up of the total quantity of flaws per application," said Glynn.
This study examined thousands of alpha- and beta-stage applications and found an average flaw density of 24 flaws per megabyte of executable code and a median flaw density of 3 flaws per megabyte of executable code. A period of 24 months was scanned and, from January through to September, a relatively flat average flaw density line was observed. Then says Glynn, there is a big bump in flaw density in October and November before things begin to settle down once we go into December.
According to Veracode's Glynn, "The jump in application flaws is easy enough to spot. But what could cause this? Some of it could be seasonal. Maybe the build up to Thanksgiving has developers distracted? Are developers adjusting after the summer break? Fall brings the extra pressure of dropping kids at school and rushing in the evenings to pick them up after sports. There is also the added pressure to produce a high volume of code to meet end of year deadlines and releases. Scientific literature is full of studies on the effects of stress on higher cognitive activities, and its reasonable to assume that application developers, like most of us, may respond to added pressure by making more mistakes in the code they write."