A high-quality, good-looking, comfortable car that sips fuel would seem to be the ideal vehicle. However, if a closer inspection reveals that it has no door locks, air bags, seat belts, or anti-lock brakes, then no one should buy it.
Such is the case with computer software. While the power and performance of computers have increased by orders of magnitude in recent years, computer software remains highly vulnerable to attack. Applications that were never designed for the Internet now interface with servers and users worldwide.
This situation has attracted, motivated, and enabled hackers who attack and misuse software systems for malice and profit, putting millions of users at risk. Organized crime, identity-theft "bots," and zombie networks, directed behind the scenes by increasingly sophisticated individuals, pose even larger threats.
SECURITY MUST BE STANDARD.
Financial markets, electronic commerce, medical facilities, and national security systems are all critical and powered by software. Security breaches cause substantial financial losses and lead to the erosion of brand value and customer trust. Identity theft is traumatic for individuals.
So why are we letting the bad guys in? What's preventing the deployment of hacker-proof software? Financial-services companies recognize that securing their software is a priority. Other companies need to follow suit and implement similar safeguards to secure their systems.
Sophisticated bug-finding tools already do an excellent job of improving software quality—effectively checking that the car doors, as it were, open and close. But fixing quality bugs doesn't eliminate security vulnerabilities—doesn't check whether the locks on those doors work. Finding and fixing security vulnerabilities requires additional work and a different approach.
Security needs to be a standard requirement in software development.
Security professionals need to change their world view. Rather than simply building big walls around their networks, developers must become proactive about security and include it from the beginning of an application's development. They must consider the possible threats to the system and review source code—the software's blueprint—for security flaws, thereby vastly improving overall security.
Sophisticated tools already exist to help in this important process, and software developers should incorporate them as a standard part of their work. Just as a responsible developer today wouldn't consider shipping software that contains serious bugs that would cause an application to crash, similarly, developers shouldn't consider software complete until it's known to be secure.
All of us, both consumers and businesses, have been quiet for far too long in the face of daily news of patches, security fixes, updates, worms, viruses, thefts, and attacks around the world. We should demand change from the businesses we deal with and the software vendors they buy applications from.
Speaking with one voice, we should insist that software is not complete unless it is secure. The alternative is unacceptable—we can't tolerate identity theft, financial loss, organizational downtime, and national security threats from untested and therefore inadequately secure software. We deserve, and can demand, better.