Knight Capital Group started functioning on 1st August 2023, with a team of over 1400 employees, possessing a 17.3% chunk of NYSE and 16.9% of NASDAQ. Serving as a broker in Knight Capital presents an outstanding opening for those aspiring to join the US stock trading sector.
An unforeseen predicament arose today. At 9:00 AM, during the commencement of trade at the New York Stock Exchange, the first retail investor began trading. Within just 45 minutes, Knight Capital’s software had executed more than 4 million transactions, causing a loss of $460 million, pushing the company to the verge of bankruptcy.
The recent calamitous event seems to have been triggered by a sequence of unfavorable events concerning computer code. Earlier, the development team had rolled out an upgrade to the live server, which seemed harmless, but concealed a perilous bug.
At times, software problems can have widespread consequences, just like the Log4j debacle, which disturbed the computing arena for several weeks, impacting countless individuals across the globe.
One of the most widely used Java-based logging tools, Log4j, was recently found to have a security vulnerability. If exploited, this flaw would permit cybercriminals to remotely execute code on a targeted system, allowing them to obtain confidential data or plant malware.
How grave was the problem? Considering that Log4j is used by major companies such as Apple, Amazon and Twitter, it is understandable why Akamai Technologies registered more than 10 million efforts to exploit the flaw per hour in the US alone.
What is a Bug?
An error in computer code that leads to an incorrect, unexpected or unintended outcome is known as a bug. Although coding deficiencies may contribute to the emergence of bugs, it is not always the case.
Regrettably, the NASA Climate Orbiter worth $125 million was destroyed on Mars. The software program had determined the amount of force, in pounds, that the thrusters should apply, but another data reader interpreted it as metric. What lessons can be drawn from this event?
Each code segment performed flawlessly upon individual examination. The calculations were carried out by the engineers from Lockheed Martin Astronautics in Colorado, but the conversion to the metric system was missed due to an oversight. Despite this, NASA applied the customary unit of newtons per square meter for their computations.
The occurrence at Knight Capital is a prime example, where the presence of obsolete code that was never deleted from their systems resulted in the catastrophe. When an indicator was incorporated in the upgrade, the software misjudged it to be in a testing environment and proceeded to execute a vast number of transactions.
Following an investigation into the incidents, it was discovered that Knight Capital did not have a formal code review process or quality assurance team to oversee its operations. This indicated that there was no one accountable for detecting flaws. As a result, there was an inadequate number of safeguards in place.
Although the Quality Assurance (QA), DevOps Engineering, Software Testing and Code Review Teams are all essential resources, they alone cannot entirely prevent the introduction of defects. In some instances, the only approach to tackling an issue is by identifying it when it occurs in production and fixing it promptly.
An External Perspective
Because of limitations imposed by the software development process, such as satisfying consumer demands, adhering to deadlines, coordinating with other programmers and accommodating unexpected modifications, it is simple for problems to go undetected.
The phrase “hindsight is 20/20” is frequently used, and it’s substantially simpler to evaluate code after it has been written than to do so while under duress. Every programmer has reflected on a past coding decision and wished they had handled it differently, but assessing it in hindsight is straightforward when there is no time constraint.
On the other hand, our customers use our products in a distinct environment altogether. They can access it without limitations on their preferred platform. Given these circumstances, it should be anticipated that consumers may encounter problems.
Bugs can create a variety of problems, causing users to be either curious or exasperated. Nevertheless, can they be utilised to the advantage of developers, the general public and ourselves?
Introduction of Bug Bounty Programs
A vast number of companies, websites and software developers offer ‘bug bounty programmes’, which provide monetary or public incentives to users who report any bugs, particularly those that could potentially be exploited for security purposes.
Twitter and Google, two of the biggest names in the technology industry, are counted among the entities that employ Bug Bounty programmes. The US Government, alongside many other countries, compensate individuals who responsibly disclose any security flaws present on official websites.
Several websites have created communities that compile information concerning Bug Bounty programmes, which has been positively received. It is crucial to comprehend why this is the case.
It is evident that software development can greatly profit from the collective wisdom of a large group of individuals. Although developers can only conduct a certain amount of testing, partnering with the broader community enables users and developers to team up, identifying and resolving any bugs or security flaws.
Through offering incentives for the detection of security flaws, we can partner with skilled professionals to boost the dependability and security of our product. This is an open-source strategy aimed at further strengthening the safety of our software.
Bug bounty schemes have proven to be beneficial for novice programmers, allowing them to showcase their skills and comprehension of software development practices and security protocols through coding projects.
For businesses, creating a bug bounty programme is a simple undertaking. Numerous websites offer these programmes, and all that is needed is to promote your own initiative and establish a reward that is proportionate to the size of your business.
To conclude, bug bounty programmes should not be viewed as a substitute for quality assurance or other security practices, such as DevSecOps; instead, they should be regarded as a complementary approach. Achieving the highest quality is crucial to realising the full potential of software.