Main technology firms are currently fixing security exposures faster, motivated by he urge to close gaps for their customers. According to ciodive.com.
Vendors took an average of 52 days to fix security exposures in 2021, down from 80 days three years ago, data from Google’s Project Zero show.Â
Between 2019 and 2021, Apple fixed 87% of its bugs in 90 days; Microsoft fixed 76% in the same period.
“The tech community is becoming faster at fixing uncovered security issues due to several reasons, including improving DevOps and CI/CD technological developments, adopting bug bounty programs into the mainstream, adopting open source platforms’ security issue tracking, and Project Zero making an impact,” said Eylam Milner, director, Argon Technology with Aqua Security.
There is a caveat to this growth. The biggest tech companies handle their bug bounty programs differently compared to smaller or little-known companies.
“Companies like Microsoft, Facebook, Oracle, Mozilla, and Linux operate differently, let alone tackling security issues, then most software vendors and open source projects,” Milner said.
While the average time to fix an exposure has decreased, that could be somewhat misleading founded on the companies involved. On the other hand, trends like this always have a trickle-down effect that is resulting in a positive impact throughout the tech industry.
“When a big tech company (like Facebook) is compelled to fix a security issue in 90 days, this puts the company in a position to innovate with the in-house organizational hierarchy, engineering culture, and even modern technology solutions,” said Milner.
The vast engineering community always imitates big tech architects, enhancing the way the whole community deals with security issue fixing.
While the tech industry is perfecting at remediating security exposures in a much more timely way, the need to fix problems isn’t trickling down to the institutions utilizing the software. In case a customer lacks quickness in deploying a patch, a flaw can stay.
Although many members of the security community preach the significance of defined security patching procedures and techniques as part of the general security policy, there exists a knowledge gap, according to Matt Carpenter, a senior principal security researcher with GRIMM.
” Among the major aspects of an up-to-date security policy is recognizing what technologies/assets your institution maintains, and having routine patching intervals, techniques, and written procedures,” Carpenter said.
Although companies recognize the importance of automated updates and frequent automated checks and reports for out-of-date machines, less-security mature companies lag.
How Tech Can Enhance Bug Fixing Efforts to Fix Bugs and Motivate Patching
Regardless of how good tech companies have become at evaluating security exposures, there is often room for development. Incorporating automated application security remedies is crucial for getting deeper into vulnerability assessment and fixing.Â
“Software customers and dealers can’t deal with a large amount of security risk in large codebases without an automated process for detection, remediation, and prevention,” said Milner.
The second step is to teach organizations to collaborate with trusted security firms in a long-term policy, which helps lower both risk and cost in the long run.
“For instance, every organization should put in place a Security Architecture Review or similarly Threat And Risk Assessment from a reliable and informed external security company,” said Carpenter.
Whereas informative, for inspections to add the most value, institutions should form an internal security team with the main executive onboard, like a CSO, CIO, or CTO, to act as a liaison with the external inspection group.
This makes sure assessment outcomes are communicated throughout the company and the necessary fixing steps can occur.
It’s crucial to have clear policies for addressing general asset management, according to Daniel Trauner, senior director of security with Axonius.
“Without an asset management policy, you might not even realize that there’s a patch to apply,” Trauner said.
And in case if patches aren’t applied quickly, the rapid fixing time of vulnerability by tech companies won’t help much in terms of preventing attacks.
What is Bug Fixing?
According to techtarget.com, despite the best practices and developers’ diligence, bugs are an unavoidable part of software development. Accordingly, so are deficiencies within live software. A bug — particularly a defect in production, is a difficulty because it presents the risk of missing customers.
Information Technology institutions have several ways of fixing bugs in production. The variety of skills reflects a range of risk tolerance and how promptly the team needs to create new features. Bug fixes can differ relying on the type of product and its goal criticality. The extent of a bug can also determine whether it needs a sudden fix or not.
Software squads can utilize these 9 ways of fixing bugs in production:
Establish a Standardized Process
- Arrange to quickly fix defects.
- Practice time management.
- Implement benchmarks.
- Prioritize test code.
- Perform chaos engineering.
- Move fast and break things.
- Adopt a mission-critical mentality.
- Mature the product.
- Establish a standardized process
It’s important to establish a standardized process to address bugs.
“Escaped defects are an awful reality of software engineering,” said Casey Gordon, director of Agile engineering at Liberty Mutual Insurance. Despite best efforts to stop defects before they end up in customers’ hands, a production problem inevitably arises. Gordon’s staff relies on proactive monitoring, observability tools, and customer feedback for alerts on such defects.
At Liberty Mutual, software engineers cannot directly modify code in production. Rather, these developers use pipelines and trunk-based development to quickly deploy code changes to production. This release management strategy can promote stability in the long run, as it enables developers to experiment with smaller releases.
“We’ve learned that being over cautious and applying legacy approaches to release administration only yields larger batch sizes, longer means time to recovery, and increased risk,” Gordon said. Through DevOps practices, Liberty Mutual developers push smaller, more targeted releases into production. These engineers have also separated software components into loosely coupled microservices. Microservices enable them to fix issues with minor code changes and less procedure than it would take for a monolithic architecture.
Plan to Quickly Fix Defects
Another approach to fixing bugs in production is to work backward from bug identification, to how the team could swiftly address such defects.
“While we think that we should do everything in our power to avoid bugs in production, you should still plan for when, not if, a bug surfaces [there],” said Yoseph Radding, a software development engineer at Amazon who also provides DevOps consulting through Shuttl.io. Developers can ensure faster resolution by proactively working on bottlenecks that could slow fixes.
First, focus on making the code and its dependencies easy to run locally using the 12-factor app methodology, Radding recommends. The 12 factors related to the following:
- code base
- dependencies
- configuration
- backing services
- build, release, run
- processes
- port binding
- concurrency
- disability
- parity
- logs
- admin processes
- Then, make the deployment process automatic and easy, and keep deployments small.
Second, focus on monitoring and logging to help catch issues quickly. Technologies like feature flags, which are switches to turn parts of the code base on and off, can stop problem areas easily and quickly, in as little as 200 milliseconds. “We keep some feature flags permanently around particularly nasty code and integrations, to give us a kill switch in case anything goes wrong at any time,” Radding said.
He also recommends reverting changes rather than rolling them back. Radding uses the git revert command to undo specific commits and adds a new commit that removes the changes in the old commit. This technique ensures that other changes remain when a developer removes the problem code.
Practice Time Management
Bug fixes are faster and less disruptive to production when the team has a well-planned strategy. There are a few paths to follow, each with pros and cons. Said Phil Crippen, CEO of John Adams IT, an IT services consultancy.
Allocate the team or an individual to fix bugs for a set time slot every day. This arrangement establishes a buffer period that becomes a regular part of the daily routine. Teams are continuously aware of bugs and can deal with them daily. However, this buffer period can steal time from other obligations, and not all bug fixes will fit in the allotted time frame.
Establish bug estimates from existing data. Always, software teams work on multiple programs, and they can gather information about past bugs and how long it took to fix them.Â
Categorize these findings in terms of size and time to fix and use that data to generate an estimate of how long it should take to fix a future bug. This technique can speed up the process and show the team what types of bugs are likely to occur. However, you can’t anticipate all cases and data collection takes time.
Implement benchmarks
Software teams should use benchmarks to estimate how many bugs the team can fix in a month. For example, in the U.S., an average programmer can fix between nine and 10 bugs in a month, Crippen said. An experienced programmer can fix up to 20 bugs in that time. With these averages in mind, IT leaders can estimate how many bugs the team can tackle.
However, such estimates may not be accurate for all bugs, or broadly applicable to programmers in various countries. This approach is useful when paired with other techniques for fixing bugs in production.
Utilize placeholder times for every bug fix and then dedicate a portion of the workday to resolve them. A placeholder for a fix often offers enough time to complete the work, and it can be helpful when working in the Scrum framework for Agile. But the downside is that it can be more time-consuming than other scheduling strategies to address bugs.
Prioritize Test Code
A development team can prioritize the code it uses for testing at the same level as production code. The result is that fewer bugs will slip through to live environments.
“Development might slow down in the beginning as you begin writing tests for prevailing functionality, but the quality will go way up,” said Shayne Sherman, CEO of TechLoris, an IT consulting service.
Retain test code as carefully as project code, and always write unit tests for any change developers make. It’s impossible to have a less rigorous system and get better results, according to Loris. He argues the only alternative is to halt development to fix bugs — sometimes called a fix-bugs-first approach — which he’s unfortunately seen happen.
Perform Chaos Engineering
Software testing verifies the code does what it’s supposed to. Nonetheless, such QA can miss bugs caused at the level of the systems where the code runs. Chaos engineering hits software — usually live in production or a realistic staging environment — with unpredictable disruptions.
“Chaos engineering is a way of testing that the entire system is doing what you want it to, and code is just one part of the mix,” said Manish Mistry, CTO at Infostretch, a digital engineering consultancy. To test effectively, the system needs to be running in production. After all, it’s only in production that a team can work with factors like state, inputs, and how external systems behave.
It’s helpful to budget for dark debt, Mistry said. Dark debt is the unforeseen anomalies that happen in complex systems of software and hardware. A growth team can’t foresee every interaction in these systems. The term is a portmanteau of technical debt from IT terminology and dark matter from space.
One downside of chaos engineering, however, is how risky experiments are in a full production environment. A staging environment that is as close to production as possible is another option, Mistry said.
Move Quickly and Break Things
A corporation might take a relaxed attitude about releasing production code with bugs if business growth and popularity depend on pushing out new functionality quickly.
For instance, startups get their products out the door to attract investors. Releasing a product with known imperfections may be the only way to keep the lights on and stay afloat long enough for its next release, said Dave Wade-Stein, senior instructor of software development at DevelopIntelligence, an enterprise tech learning program.
However companies should pair fast and seamless rollouts with fast and seamless rollbacks.
As it thrived, Facebook embodied a “move fast and break things” mindset that helped the company dominate the social networking space. “Given that Facebook is offering a free product delivered via the web, a bug in the production code wasn’t a calamity,” Wade-Stein said.
Nonetheless, this approach won’t always work. Frequent bugs can irritate customers and push them elsewhere. Facebook dropped the motto in 2014.
Adopt a Mission-Critical Mentality
Firms should avoid the former section’s approach when building mission-critical software like avionics, autonomous cars, or medical equipment. “You’re going to have to adhere to extremely rigorous processes if peoples’ lives or expensive equipment are at stake,” Wade-Stein said. A mission-critical mindset helps developers build software that improves the product’s brand reputation. However, the extra precautions are expensive.
A mission-critical mentality can encompass a shift to a consensus-driven process in which anyone can stop a new release. In a command-and-control management structure, exemplified by Waterfall development, a manager can decide to ship the product, even if the team doesn’t agree. Mission-critical development should empower employees to voice concerns.
“When software development procedures include more voices in the decision-making, the resulting products tend to be higher quality and more robust,” Wade-Stein said.
Mature the Product, Then Stabilize It
In the early stages of the product life cycle, teams can lose valuable time to market by focusing on perfect releases. The attitude toward fixing bugs in production can shift, depending on where you are in the product’s lifecycle, said Bastin Gerald, founder, and CEO of Profit. co, which provides goal management software.
The more mature the product, the closer the development team wants to be to zero bugs in production, Gerald said. At that point, the benefit of a stable existing product outweighs the incremental payoff of new features that attract customers.
“After you reach the product-market fit, you should focus on establishing your product,” he said.
Big Fixing FAQs
Here are the regularly asked questions.
What is meant by drive by bug fixing?
Automatic bug-fixing is the automatic repair of software bugs without the intervention of a human programmer. It is also commonly referred to as automatic patch generation, automatic bug repair, or automatic program repair. The typical goal of such techniques is to automatically generate correct patches to eliminate bugs in software programs without causing software regression.
What causes software bugs?
Bugs can be the result of incorrect communication about the project and its requirements. They can also come from a lack of communication, either about the project requirements or between team members who are collaborating, leading to problems when they attempt to integrate their code.
What is bug fixing in Java?
The process of locating bugs is one of the hardest tasks a developer will face. It is, however, an essential part of the debugging process the key to repairing a bug is to isolate the problem to a particular system component and then locate the exact section at fault.
What are coding bugs?
In computer technology, a bug is a coding error in a computer program. (We consider a program to also include the microcode that is manufactured into a microprocessor.) The process of finding bugs before users do is called debugging.
What are functional bugs?
Functional bugs are related to the functionality of a piece of software. Examples: A button doesn’t submit the form, the search doesn’t react to the user input, and the app crashes. Every time you perform an action and the website/app doesn’t respond as you expected, it might be a functional issue.
What is a major bug?
Major: Bug capable of collapsing large parts of the system. Critical: Bug capable of triggering complete system shut down. Now you have all the information you need about bug fixing and the frequently asked questions.
Now you have all the information you need about bug fixing as well as the frequently asked questions.
