On the way into work this morning I was listening an NPR report on the GM IPO, mind you I don’t want to get into a discussion on GM, the economy or any of that. However, an interesting quote caught my attention:
Hall says GM’s real problem isn’t the bankruptcy, it’s the company’s old culture. For decades, GM leaders protected internal fiefdoms at the expensive of the core business. The old GM sold cars with quality issues at a loss just to protect its market share. In the end, it lost the market share anyway.
To be completely clear it’s the third sentence that grabbed me, and had me thinking about the software implications. For quite sometime companies all over the world doing all kinds of business have created software to further their business goals. Just about any developer will also tell you that working these projects is a pressure cooker of getting to market. Get whatever it is your developing; a web site, a full client application, widget, add-on, whatever; out the door and get it out fast and spend as little as possible. Sound familiar? Sound like a lecture you may have heard about the Project Triangle in school maybe? So if we have the choices of good, fast and cheap and we are pressing for fast and cheap it’s obvious that good (quality) is being sacrificed. And I am not just talking the standard view of quality here, I am a software security guy after all and for me security is a quality metric, this is not about trim, door squeaks and abilities (all good quality metrics themselves).
Now I don’t want to go running down the path of software security as a quality metric or how that fits into software development, all good topics but it was another question that struck me when I heard that as my focal point. What makes us think that we can ship software with security bugs we could fix with a concerted development lifecycle to get to market first and keep our customer confidence/market share? We seem to be making the mistakes of GM almost everyday in a whole set of industries. Some of these industries are quite touchy to normal consumers, health care, financial services and the like. If we fail in our security efforts or just don’t provide focus on them and people loose sensitive information are we really going to keep our market share? Why do we keep operating companies on these models? Just because GM makes cars and we don’t does not mean there are not lessons to learn here.