AS a former software engineer, I laughed when I read what the Securities and Exchange Commission might be considering in response to the debacle of Knight Capital’s runaway computerized stock trades: forcing companies to fully test their computer systems before deploying coding changes.This is a pretty obvious case of how the SEC is clueless, but there are many other instances, especially where security regulations are on the books. In many, many cases, the SEC has no clue as to how sharp operators are using regulations to their advantage---and to the detriment of everyone else.
That policy may sound sensible, but if you know anything about computers, it is funny on several accounts.
First, it is impossible to fully test any computer system. To think otherwise is to misunderstand what constitutes such a system. It is not a single body of code created entirely by one company. Rather, it is a collection of “modules” plugged into one another. Software modules are purchased from multiple vendors; the programs are proprietary; a purchaser (like Knight Capital) cannot see this code. Each piece of hardware also has its own embedded, inaccessible programming. The resulting system is a tangle of black boxes wired together that communicate through dimly explained “interfaces.” A programmer on one side of an interface can only hope that the programmer on the other side has gotten it right.
Next, there is no such thing as a body of code without bugs. You can test assiduously: first the programmers test, then the quality-assurance engineers; finally you run the old and new systems in parallel to monitor results. But no matter. There is always one more bug. Society may want to put its trust in computers, but it should know the facts: a bug, fix it. Another bug, fix it. The “fix” itself may introduce a new bug. And so on.
So now consider that tangle of modules. The bug in one meets the bug in another, and that one in another ... and the possibility of system failure multiplies exponentially.
Another absurd thing is trying to define a coding change worth fully testing. A completely new system rollout would certainly qualify. How about installing an updated module from one of those software vendors? It depends on the perceived criticality of the component. How about that new network router and its embedded code? Rarely done. What about a tiny bug fix done by a responsible, hardworking programmer at Knight Capital? Good quality-assurance departments would test that. But individual programmers may see a particular change as insignificant. One time I fixed a function by changing “less than” to “less than or equal to.” That “fix” propagated through the system. And down the system came.
The SEC should be shut down and securities regulations should be thrown into the garbage dump. This would eliminate the moat that protects the big Wall Street firms from new competitors. Wall Street would be a much better, more honest and more interesting place, without the SEC. You would be able to actual pick between thousands of firms, as opposed to be railroaded into dealing with the crooks at Goldman Sachs, JPMorgan Chase and Citigroup.