To Beta or not to Beta?

gallery

When is a beta not a beta? When it's being used in production! The meaning of the term 'beta test' is changing, and perhaps even disappearing - and it's customers, alongside software developers, who are to blame.

Beta versions of Vista have been out in the field for months and Microsoft is already releasing security patches for them. "It's utterly off the wall. Surely the whole point about a beta is that you play with it, you feed back to the vendor, and they then release the final code," says Ken Munro, managing director of penetration testing cvompany SecureTest. "In the past, betas were controlled programs with privileged access. Now, people are rolling out betas for everything," he adds. "You end up with these operating systems in beta, running out in the entire world. What if there's a worm?"

There are 3.5 million beta testers running Microsoft Office 12, says Microsoft Office product manager Darren Strange. "Only 100 [early adopter] customers are allowed to use it in production," he argues. "Our advice to people is that you shouldn't be running it on your production machine. So that if your email goes wrong, you could always go back to yoiur live machine." So theoretically, just shy of 3.5 million people are running Office 12 on a second machine sitting along side their other PC. Yeah, right.

Web-based beta

The situation is the same, if not worse, with Web-based applications. Google News was in beta for four years, Gmail is still a beta.

As there is no online distribution, the notion of software versioning becomes even more arbitrary and the idea of 'just in time programming' - where the line between development code and live code blurs or disappears - becomes more commonplace.

"A lot of the development environments created for the just in time software model were not bult with the same level of security and robust development procedures, so we're starting to see a lot of vulnerabilities related to that. Some of them are in the frameworks themselves, and some of them are because just in time software develompent doesn't lend itself to secure development," says Vincent Weafer, director of development for security response at Symantec. "These frameworks are designed so that you can say at any point, 'I'm done'," he adds, describing a 'fix it tomorrow' ethos among some web programmers. "You find a lot of issues with web development and sloppy programming."

Bridging the gap with dynamic web applications

As Ajax and rich Internet applications continue to evolve, room for vulnerabilities could grow, warns SecureTest's Munro. For example, if most of the application logic is located on the client, it becomes more tempting for sloppy server programmers to forego proper back-end data validation, and assume that it is all being done in the browser. Some may forget that JavaScript is hackable, and Flash files can be decompiled. If 'beta' software compromised in such a way is available for all to use, such vulnerabilities could have widespread effects.

The marrying of client-side software and Internet distribution also muddies the waters. If you can easily update software online at any time with post-release patches, then the whole concept of software versioning becomes more interpretive.

What's the difference between Microsoft releasing software patches for Vista in beta, and the inevitable patches that will appear afterwards? "If we're posting patches to beta, I guess there are just more of them," shrugs Strange.

Email to a friend

Print this page