Software Rot and Cybersecurity: Why Code Degradation Is Crucial to Business Safety
Software Rot May Be a Threat For Any Company. Learn What It Is and How You Can Mitigate the Risks!
Nature, people, states, machines, relationships – everything has a life cycle. Including technology. Nothing stays in the same perfect condition forever and nothing works as it should with no proper care and attention. This evanescent aspect of things is concerning me today because I’m going to bring into your attention concepts like software rot, code rot or code deprecation, and data rot.
Data rot is easy to understand: the concept refers to data degradation, which corrupts information and makes it unusable. Disregarding what kind of digital storage you have (CD, DVD, SD memory card, hard drive etc.), data rot will happen over time – it is a natural process that cannot be avoided.
Your enemies are corrosion, dust, electric leakage, oxidation, physical scratches etc., so your best option for preserving information for a significant period of time is the cloud.
With that in mind, let’s find out what software rot/code rot refers to:
Software rot – a definition
Software rot can be defined as follows:
Software rot, also known as bit rot, code rot, software erosion, software decay, or software entropy is either a slow deterioration of software quality over time or its diminishing responsiveness that will eventually lead to software becoming faulty, unusable, or in need of an upgrade. This is not a physical phenomenon: the software does not actually decay, but rather suffers from a lack of being responsive and updated with respect to the changing environment in which it resides.
There are two types of software rot/code rot:
a. Changed environment / Dormant rot
This refers to the case in which a module of code isn’t used in the system for months or years, like an existing functionality that isn’t needed anymore. It is possible and probable for the environment to have suffered changes in that period of time, but the module will have stayed the same – ergo, the code has rotted since it no longer fits its environment.
b. Gradual decay / Active rot
The second type of software rot/code rot is linked to gradual decay. In this case, the code is actively used, but it rots by slowly getting flawy in small details. This situation appears when the existing code is changed, but the developers do not pay attention to the whole picture. In gradual decay, every new change might make sense on its own, but the cumulative effect is infelicitous.
Henrik Warne also adds a third possible type of software rot:
c. Misnamed methods
“A third example is misnamed methods (and variables and even files). As changes accumulate in what a method does, the name may no longer fit. So it is quite common with method names that are either plain wrong or that don’t tell the whole truth about what the method does.”
Software rot – causes
Software rot/code deprecation appears due to a considerable number of factors:
Copying the existing pattern. There are cases where new functionalities are added without checking if the whole code needs to be modified to better accommodate the changes.
Making small changes. It’s well known that any small change of the code may cause bugs. Even if the differences are minimal after the modification of the code, this risk won’t be minimized and can lead to code rot.
Unfamiliar code. Some would say it’s natural to make only small changes if the code you have to modify is (still, for any reason) unfamiliar. This does not make it any less dangerous though.
Time pressure. Developers that have to work with tight deadlines might also choose the faster and smaller modification, “rather than the bigger change that would also improve the overall structure of the code.”
Lack of regulations. If there are no regulations on how and when the gradual decay should be fixed, the problems with the code will only get bigger and bigger.
Developers. Sometimes, the developers whose task is to modify a certain piece of code simply don’t have the experience to do it – or just don’t care enough about the code’s quality in general.
Software rot – telltale signs
Fortunately, software rot is a condition that does not go unnoticed, neither by end-users nor by developers. Here are the main signs that indicate developers they are dealing with code issues:
Fragility refers to software that tends to break in many places whenever a change is made, often even in areas that are conceptually unrelated to the change being made. As this increases, the software becomes very difficult to maintain because every new change introduces numerous new defects. In the best case, these defects are caught early by an automated testing suite. In the worst case, they are found in production by end-users.
For the end-users, software rot signs are also obvious, although we may not immediately realize what happens: entire applications or only some functionalities run in low performance or stop working completely.
Increased features-delivering time
Code rigidity is also indicated by an increase in the amount of time needed to add new features. As Codurance says, if there is a software rot, “a new change causes a cascade of subsequent changes in dependent modules within the codebase. This results in teams often being fearful to address non-critical problems because they do not know the full impact of making one change, or how long that change will take”.
Software rot, legacy software, IoT – connection & risks
Software rot can also be linked to legacy software. As my colleague Miriam explains in one of her articles, “legacy software is any piece of software that can’t receive continued patching or support from its developer, or can’t meet the compliance standards in use.”
Miriam correctly notes that legacy software is not always dangerous, but the threats that it imposes are crucial to any business’s safety. The risks you’re facing in case of software rot and legacy software are the following:
The risk of falling prey to a data breach or cyber-attack more easily;
The risk of slowing down the activity due to the performance issues or the need to manually fix issues regularly;
The risk of becoming non-compliant.
What does a data breach bring?
Revenue loss, brand reputation damage, intellectual-property loss, legal actions, hidden costs – basically, nothing that you’d want to deal with in the near or distant future.
What could slow performance issues mean for your company?
The consequences of a slow performance are similar to the ones of a data breach: revenue loss, because some clients or prospects could choose another company instead of yours to obtain the products/services they were looking for, and maybe even brand reputation damage if they spread the word.
What happens if you’re non-compliant?
Well, Nellie Akalp from Corpnet.com explains the consequences in details:
Piercing of Corporate Veil – […]“Corporate veil” (also called a “corporate shield”) is the legal distinction between an LLC or corporation and its owner(s). It is the legal separation established by keeping a company’s activities, assets and liabilities independent from those of the business owner(s). If an LLC or Corporation fails to fulfil its compliance requirements, a court might decide that the corporate veil has been pierced and that the individuals who own or oversee the business are personally accountable for the debts or legal wrongdoing of the company.
Audits – Non-compliance draws closer inspection of a business’s processes and financials. […]
Financial penalties – Non-compliance can hit a business’s checking account hard. There may be fines, back taxes, interest, and other financial penalties levied if a company fails to fulfil its compliance requirements.
Suspension or termination of the business – If the frequency or severity of non-compliance warrants it, a company may fall out of good standing with the state and be forced to either suspend operations or close its doors entirely. Stating the obvious, this can be fatal for a business.
Imprisonment – […] non-compliance may lead to the civil or criminal prosecution of owners, officers, and directors if their personal actions were unlawful or negligent.
Damaged brand reputation – As word gets out publicly about a company’s non-compliance, it could permanently hurt the business’s reputation. That could destroy customer and vendor confidence as well as make lenders wary of providing financing to the business in the future.
Moreover, if your company relies on IoT devices or if you use them at home, the risks imposed by software rot are also high: “For sensors inside a refrigerator or washing machine, software issues mean inconvenience. Inside automobiles or vehicles, it means trouble. For software running medical devices, it could mean life or death.“
What can you do to mitigate the consequences of software rot/code deprecation?
Firstly, please note that, if you use 3rd party applications and software, there’s little you can do to prevent software rot, since you probably don’t have access to the source code and its developing process. However, there are some measures you can take to mitigate the consequences of software rot on your devices:
Backups are the simplest measure you can take in order to make sure that your data is safe in case anything happens to your endpoints and network.
Restart your device
If you avoid turning off your computer, you’re contributing to slow down issues. As armortechs.com says, restarting your device could be beneficial for fixing memory leaks: “some applications have glitches that lead to memory leaks. A memory leak is RAM utilized by the software but never released back to the computer. Restarting your computer kills that process and releases RAM back to the computer to use again.”
85% of malware can get into your computer due to out-of-date applications and software. For this reason, it’s crucial to have a good patch management solution that can make sure everything on your devices stays up to date. Our X-Ploit Resilience technology allows updates to be automatically installed at only 4 hours after the release or scheduled according to the PC’s clock and can be found both in our Thor Foresight and Thor Premium.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
to organizational defense.
Simple Antivirus protection is no longer enough.
Unlike data rot, which is inevitable, software rot can be prevented with a little attention from the developers and their product owners. If or when it still appears though, there are, fortunately , ways to mitigate its consequences – including by trying our patch management solution that can help you keep your system up to date.
Also, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!