Even if your code contains thousands of bugs, automated tools—static, dynamic, and interactive analysis, along with software composition analysis (SCA)—can you’re your developers find and fix them, sometimes even in real time as they work.
That means fixing bugs is, relatively speaking, quick, easy, and inexpensive. “If we didn’t catch an error when it occurred and it made the application malfunction, if we just change a line of code, then poof, it will work correctly,” Migues said.
A flaw, by contrast, is often much more subtle than an “off-by-one” error in an array reference or the use of an incorrect system call.
“A design is a protocol between two things,” Migues said. “It could be how a file is built or the methodology for logging.”
“A design flaw would be saying, ‘I’m going to allow this application or this microservice to accept any number of requests at any speed from any source. There will be no velocity checker, no identity and access control, no access management.’ That’s a design flaw. It’s not just screwing up a line of code.”
Unfortunately, finding design flaws is more labor intensive than finding bugs, and it takes significant expertise. Which explains why organizations are still not doing it nearly enough.