On Software Correctness and Security

When I was in graduate school, my favorite book was Selected Writings on Computing: A Personal Perspective, by Edsger W. Dijkstra (Springer-Verlag, 1982). Organized as a printed compendium of Dijkstra’s best EWD articles – perhaps the earliest blog posts – the book remains a delightful read. It can inspire modern readers, much like the writings of Feynman and Einstein. I recommend that you go on Amazon right now and buy yourself a copy. (I’ll wait.)

A typical chapter would focus on a select computing primitive, such as linear search. The presentation would then include pages of beautiful prose and crisp mathematics, all centered on the design and correctness of the algorithm. The pieces are like little masterpieces, each crafted to demonstrate in its own way that computing science – like it or not – is a true branch of mathematics, and an unusually formal one, at that.

I had thoughts of Dijkstra, and software correctness, and computing science on my mind last week while having an iced coffee on Fulton Street with my new friend Erik Cabetas, founder of Include Security. I’d asked Erik to take the subway over from Brooklyn, because I’d caught wind of the amazing team of software experts he’d assembled, and I wanted to learn more about the fine software analysis and reverse engineering his company offers clients.

“We only hire experts,” Erik explained, “and we combine the best available software analytic tools, such as fuzzers, with detailed manual code review to identify design weaknesses and exploitable vulnerabilities in software. We can do this for virtually all forms of software including client applications, server applications, mobile applications, and web services. We can also reverse engineer software for security, litigation, or other purposes.”

Now, I hate to reduce the basis for Erik’s offering to a simple observation, but I’ll do so anyway: Software development continues to be performed by teams who are rushed to unreasonable deadlines by managers who prefer to deploy flawed software quickly. This business decision might reduce time-to-deploy, but it also results in a lot of crappy software. And that’s where Erik’s team comes in: They are best-in-the-business at finding your coding mistakes.

Consisting of an egalitarian team of international recruits, Include Security employs only the most capable and experience staff – people for whom software is both their passion and art. Not surprisingly, Include Security’s world-class team members have also typically made the personal lifestyle decision to work only with clients that they believe they can help, and to blend their life interests with their work.

“Many of our team members enjoy working hard with a client on a tough software application assessment, often finding serious exploits that require immediate attention,” Erik explained. “They will often then seek some time off to pursue other personal interest such as foreign travel. This is our culture at Include Security, and it allows us to employ the best, and to provide an amazing work experience for them.”

Let’s return to Dijkstra: He made the point repeatedly that programming is a challenging discipline, and his assessment of the implications could be harsh: “Don’t blame me,” he wrote, “for the fact that competent programming, as I view it as an intellectual responsibility, will be too difficult for the average programmer. You must not reject a surgical technique because it is beyond the capabilities of the barber in his shop around the corner.” Ouch.

Dijkstra wrote those powerful words on September 11th, 1975, and because our field has not changed much in the decades that have since passed, the need for experts such as at Include Security continues to be intense. My advice for those of you who write, use, or depend on software applications is this: Get in touch with Erik today, and ask him to take you through his fine services. Sadly, I think we can be certain they will find errors in your inevitably rushed code.

Please share what you learn.