Home » Data Protection » Application Security

Patching Software: The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software

By Scott Berinato

Page 2

Application securityuntil now an oxymoron of the highest order, like "jumbo shrimp"is why we're starting here, where we usually end. Because it's finally changing.

A complex set of factors is conspiring to create a cultural shift away from the defeatist tolerance of "that's just how it is" toward a new era of empowerment. Not only can software get better, it must get better, say executives. They wonder, Why is software so insecure? and then, What are we doing about it?

In fact, there's good news when it comes to application security, but it's not the good news you might expect. In fact, application security is changing for the better in a far more fundamental and profound way. Observers invoke the automotive industry's quality wake-up call in the '70s. One security expert summed up the quiet revolution with a giddy, "It's happening. It's finally happening."

Even Kawasaki seems to be changing his rules. He says security is a migraine headache that has to be solved. "Don't tell me how to make my website cooler," he says. "Tell me how I can make it secure."

"Don't worry, be crappy" has evolved into "Don't be crappy." Software that doesn't suck. What a revolutionary concept.

Why Is Software So Insecure?

Software applications lack viable security because, at first, they didn't need it. "I graduated in computer science and learned nothing about security," says Chris Wysopal, technical director at security consultancy @Stake. "Program isolation was your security."

The code-writing trade grew up during an era when only two things mattered: features and deadlines. Get the software to do something, and do it as fast as possible. Cyra Richardson, a developer at Microsoft for 12 years, has written code for most of the company's major pieces of software, including Windows 3.1. "The measure of a great app then was that you did the most with the fewest resources"memory, lines of code, development hours, she says. So no one built secure applications, but no one asked for them either. Windows 3.1 was "a program made up almost entirely of customers' grassroots demands for features to be delivered as soon as possible," Richardson recalls.

Networking changed all that. It allowed someone to hack away at your software from somewhere else, mostly undetected. But it also meant that more people were using computers, so there was more demand for software. That led to more competition. Software vendors coded franticallyunder the insecure pedagogyto outwit competitors with more features sooner. That led to what one software developer called "featureitis." Inflammation of the features.