All Software Has Vulnerabilities

No matter how smug you are about it, and how much you claim that security is someone else's problem, software will have vulnerabilities. It is a fact of life because software is, by far, the most complex engineering task mankind has ever undertaken.

In that light, I found a quote by Alan Paller, of the SANS Institute, in the latest @Risk Consensus Security Vulnerability Alert quite revealing:

If you are ever asked which operating system is safer, the following 'non-aligned' rule may be of some help. Given a fixed level of programming skill, the number of vulnerabilities in software is directly proportional to the number of lines of code and inversely proportional to the length of time the software has been in wide use. Large numbers of critical vulnerabilities are being, and were bound to be, discovered in Apple's operating system because Steve Jobs may design better hardware, but his programmers are no better at writing secure code than programmers in other software organizations. Alan

Secure software is produced by software developers who have been adequately trained, who have great tools at their disposal, and who work in a supportive culture that makes it easier to do the right thing and harder to do the wrong thing.

Leave a Reply

Your email address will not be published. Required fields are marked *