Daily Archives: October 27, 2006

Great post on WTF about software quality.

I noticed a great post on The Daily WTF about software quality, and some of the things that companies do to ensure that software is of a high quality. I was talking Andrew Matthews today while we were out on a client site.

He has been working on a piece of software for the last couple of months that we handed over to the customer today after fixing some bugs that were picked up in testing – he mentioned that he felt that software is something that it can be hard to let go of because you can’t imagine it surviving in the world without you. Its kind of like a child.

While I was reading the WTF post I had his comment in the back of my head I started thinking about the analogy a little bit further. It fits really well – especially in terms of software quality and environmental configuration.

I’ve been a bit hot and cold on having fully isolated environments for software developers, I think that if you can swing it, having everyone on the same network and part of the same Active Directory environment (if we are talking Microsoft-based environments) really makes things easier. Most infrastructure people will tend to want to put an air-gap between developers and “their network”. You have to appreciate their position – they have to try and maintain a certain level of service.

But I am wondering if the air-gap approach actually defeats everyone in the end. It is kind of like those sickly children that you see that were kept in a completely sterile environment and as a result did not get a chance to develop natural immunities to things that occur in nature. Does the same not happen to software?

By developing software in the target environment we get to understand what is good and what is bad very early on in the development cycle, and while there may be some pain – it is probably less than the software arriving DOA.

Thoughts?

SecureStrings are reversable.

Fellow co-worker, Corneliu Tusnea has figured out a way to easily reverse the .NET frameworks SecureString instances and integrated it as a feature into his Hawkeye application (already a formidable tool for editing .NET objects in running applications). The SecureString class is designed to be an easy way for developers to obsfucate strings in memory so that its difficult to get them out of a memory dump by spreading it through the memory space of the host process. They just give you a little bit of extra security.

At runtime, anyone who knows their way around the .NET Framework can probably think up a way to get a SecureString instance back into its unencrypted state, but where the real power of Hawkeye comes in is the way you can just attach to a running process.

Since Corneliu a “good guy” he has decided to only offer the SecureString decryption functionality in Hawkeye for a price in an effort to stop it being used by the vast majority for illegitimate purposes. Well before he released his code he also contacted Microsoft to discuss the issue.

There isn’t really anything that can be done about it – SecureStrings MUST be reversable at some point in time so Microsoft suggested that he go ahead with his release, but put it in a commercial version. Corneliu has decided to donate the proceeds from Hawkeye to a worthy charity which will change on a rolling basis – way to go Corneliu.

You can download Hawkeye from Project Distributor.