`X-AMZN-something` at least though probably predates that; a mix of `X-AMZN` and `AMZN` would be annoying. (Although I suppose they could say 'We've deprecated `X-`, it'll be stripped and still work, but please don't use it in new code' applying to all of them, old and new.)
Nope! They solved it the opposite way. Their bug tracking system consisted of individual customers who called up to report bugs. I.e. Joe Blow would call up and say "Hey, I'm supposed to see 231 shares, but I only see 219 shares."
That would result in a bug report. The bug report was that Joe Blow saw that outcome. In other words, the bug report didn't contain anything about the code itself.
They had an entire division of support people whose job was to track these bugs, and to fix them.
In order to fix the bug, they would manually edit the database, or do whatever was necessary to make sure Joe Blow saw the right value again. But they never changed the code; they weren't programmers.
Once Joe Blow was happy, they closed the bug report as "fixed."
Therefore, no tests were ever required.
It was ... impressive? I think? I couldn't mentally process what I was seeing at the time. But "impressive" is probably the right word. After all, the system worked.
I always wondered that! I assume they had a "ground truth" financial order book somewhere (which presumably was held to much higher standards of correctness) and that the support staff manually verified their balance.
But ... that logic doesn't work if you chase down the implications. And sadly I was both too shocked and too young to press my coworker for details. (He was a cool older fellow who seemed as amused with the craziness.)
Eventually I became a pentester at Matasano. During my one-year stint, I was parachuted into around 70 codebases. I got to see first-hand that Scottrade wasn't an outlier; they were the average. Most companies have similar WTFs, and the codebases are just as onerous.
The world is held together with duct-tape. That's why pentesting is so crucial.
You're not too far off; all SDC systems (including Tesla & Waymo) use disengagements to train on. So it's not accidents themselves, but human takeovers prior to what might otherwise have been an accident.
