External audits are already required for finances. Safety critical systems are even more important and should be subject to even more scrutiny as a result.
It'll take a lot of resources to develop institutions to do this. It'll take a long time to debug these institutions.
We're still arguing over "goto considered harmful", "the billion dollar mistake" and how toolchains influence code-safety-behavior.
And there exists a class of CASE tools from the '90s that, while being somewhat clunky, addressed some of the transparency issues. But those are hardly even relevant any more.
And to make it worse - the final configuration of the system matters just as much as whether the code bases for the individual nodes have passed an audit. This is especially true of CAN networks.
The thing to bear in mind about banks is that nowadays they are really computerized service companies that happen to specialize in finance. Competent tech isn't just a competitive edge, it's fundamental to being able to operate at all.
I've worked in two of the biggest US banks for years and I can confidently say both important departments were far from completely understood by most people working there, let alone outsiders doing an audit.
Most of the complexity is in the messages passed between systems. In a code audit it's fine to remove sending tag X by system A but then you find out when you hit prod system B used tag X and now it's not there which causes a problem in system C. And that would be a simplified example.
I'd be disturbed by any outsider claiming they understand the dynamics of multiple systems with millions of lines of code which often have feedback loops.
Honest question, have you ever worked for a bank? Many still run on AS/400 mainframes in the backends. Knowing what I know, that comment actually couldn't be further from the truth. Banks are insanely risk adverse, and rightfully so. If it works perfectly, they absolutely will not change it, even if the newer shinier tech has real benefits.
Source: I don't work for a bank, but have worked in electronic trading for the past 8 years and work directly with the (in)competent tech teams from other banks to clear and reconcile trading bits.
Using AS/400 systems would make them a computer service company. I actually work at a bank (developing apps) and we use a massive COBOL system for a lot of data. However, we also have a massive Hadoop cluster (much larger than the COBOL systems, and firewalls everywhere.
Banks might not be the most competent at web programming, but they higher a ridiculous number of awesome security folks. I would still put them behind Apple or Google in their given domains, but many banks have pretty robust technical systems for their domain.
Every bank I've ever been with has had a pathetic limit on its online banking passwords.
One of them (NAB) was limited to something like 10 characters and only numbers and letters.
Maybe that's changed recently but still, firewalls won't help you when somebody brute forces your users' passwords in 10 minutes.
> Many still run on AS/400 mainframes in the backends.
Are you implying that using old technology makes it somehow incompetent? I don't know about you, but I absolutely do not want my financial institutions to be running their risk analysis software in Node just because someone wants to try it out.
Nope. I'm implying that they don't use the latest and greatest or "best tech". I'm agreeing with your opinion and having worked with the tech teams of banks am confirming it as truth via firsthand experience.
Like in any industry there are good teams and bad teams. Working in finance verses working in say social does not automatically make you a bad developer.
Culturally there are two things make finance different. One is that it is a hideously conservative and risk adverse. AS/400's are used because they are well understood, very reliable, and supported by someone other than an attention deficit teenager in a bedroom.
Second is that mainstream finance doesn't see itself as a technology industry. There are areas like quant investment and high frequency trading that are, but most finance companies still look at technology as a line item on the budget rather than the foundation that their business is based on. This is changing slowly (see one) but will mostly likely require an external disruption to push change through any quicker.
So which part of simonh's comment were you saying couldn't be further from the truth? I didn't see anything in his comment about the latest and greatest or "best tech".
That may be true of the largest banks, but there are hundreds of others that are running on fairly incompetent tech. Either way, external audits have been a part of them for much longer than the computerization has been.
The irony is that instead of incentivizing auditing of system, hackers and security researchers put themselves at huge risk whenever they look for, find, and report vulnerabilities. The companies that have bounties are doing it right.
That's true, and it isn't hard problem. But note that audits are also a hard problem. Auditing teams don't go through and reconcile every transaction. They conduct spot checks of sample transactions and scrutinize controls, and aggressively follow up when any failure of controls is observed. I think a lot of those concepts could be applied to code audits.
I think a better approach would be requiring that developers (and their managers and testers etc.) working on software that could kill or injure people if it malfunctioned have some sort of a professional license, that would be granted and revoked similarly to how medical and engineering licenses are granted and revoked.
I'm not opposing this idea, but I'm not sure it would have helped in the VW case. There were some people (engineers? Managers?) who were cheating and they knew that what they were doing was wrong. I don't believe a license would have changed that.
Other people have raised the question of how well the prospect of losing a license would act as a deterrent.
One other aspect which might be even stronger would be if the professional organization had a role not unlike a union in protecting its members’ professional decisions. Imagine if you worked at VW and your boss told you to make a change which affected safety, emissions, etc. – how different might your reaction be if you know that if you refused or reported it to the appropriate regulators and there were repercussions the Bitpackers Guild could provide legal representation and expert witnesses for you, stage a strike where no licensed engineer would work for an irresponsible company, or simply ensure a lot of publicity? Suddenly it's not “go lean on Sally until she gives the engineering sign-off. She can't afford to quit until her kid's out of college” but “do we want a team of professional engineers to hold a press conference saying we're cutting corners over our experts' judgement?”
There are certainly potential downsides but … anyone who drives a car, uses medical equipment, etc. might reasonably conclude they're worth it, particularly if the system was structured to focus on transparency and due process rather than the pathology some unions are prone to where members are always defended even when they're in the wrong.
If a developer is asked to do something obviously wrong they might not feel they can refuse, because they can be replaced with someone willing to do it.
If an architect is asked to design a bridge that isn't safe they can refuse, secure in the knowledge they can't be replaced with someone willing to do it, as no licensed architect will knowingly design an unsafe bridge.
Of course, a licensing scheme would probably have a bunch of disadvantages.
Perhaps the threat of having their license pulled, thereby nullifying potential future employment might have caused them to think twice about wilfully cheating emissions controls?
While the FDA may not be a great regulatory group, if someone at a pharmaceutical were found to cheat like this they could potentially be barred from working in the industry again. This works in some cases, at least in theory.
While I don't agree with the license requirement the least we could require is publication of the source code and validation by an industry body made up for subject matter experts for safety critical code.
Even the possibility of an external source code, revision history, requirements etc... audit would change working practices dramatically ... particularly if there were legal penalties against developers found responsible for introducing bugs.
There's no way in Hell that I will consent to be held responsible for the output if I do not have full control over the inputs.
If I am an employee of the company, and someone else is telling me what to do for my job, and particularly if they are telling me how to do my job, they must necessarily share responsibility for anything that I do pursuant to obeying those instructions.
And threat of retribution leads to stupid practices:
public void CoverYourAss()
{
try
{
int x = 0;
}
catch
{
throw;
}
}
This is a simplified example of a real-world coding standard. At one of my former workplaces, everything had to be wrapped in a try-catch block, including statements that would only ever generate run-time exceptions, like out-of-memory exceptions. It didn't matter if you re-threw the exception you just caught. You just had to make sure the try-catch was there. In every function. Or you're fired. I am not making this up. If the software ever crashed to desktop for any reason, including a bad memory module in the computer running it, or someone nuking parts of the filesystem while it was running, or even a bullet striking the motherboard, someone was getting blamed for it on the development team, and fired. As it would be a witch hunt anyway, the inquisition squad would obviously look at the code written by those most threatening to them, or least popular, or both, before anyone else, and seize upon any irregularity to lay blame.
You'd better believe I was sending out resumes the day I found out about that.
I can only imagine how bad it would be if the penalty was to be fired plus arrested and/or sued.
You really have to remove the incentive to cheat from the software group before the tests happen.
A defeat device does not get installed accidentally. It's not like a mutation propagating through evolution of living things. Someone decided to put it there, and someone got paid to do it. There was an additional requirement added, one that had no official test coverage. It was to increase fuel economy and produce more pollution when no one was paying attention to the emissions.
As far as the developers were concerned, they did everything right. They built the code their employers asked them to build. It passed the official tests. This was a triumph; I'm making a note here: "huge success!"
The developers worked for the automakers, not the testers or the public. They did what VW wanted, which was to game the system to make more money. You're not ever going to do more than start an arms race as long as the developer is taking orders (and getting hired or fired) by the guy who just wants to sell more cars.
We're still arguing over "goto considered harmful", "the billion dollar mistake" and how toolchains influence code-safety-behavior.
And there exists a class of CASE tools from the '90s that, while being somewhat clunky, addressed some of the transparency issues. But those are hardly even relevant any more.
And to make it worse - the final configuration of the system matters just as much as whether the code bases for the individual nodes have passed an audit. This is especially true of CAN networks.