Linux Today: Linux News On Internet Time.

developerWorks: Secure Programmer: Developing Secure Programs

Aug 29, 2003, 08:30 (2 Talkback[s])
(Other stories by David A. Wheeler)

"Computer attacks have become a very serious problem. In 1997, the CERT/CC reported 2,134 computer security incidents and 311 distinct vulnerabilities; by 2002 it had risen to 82,094 incidents and 4,129 vulnerabilities. The Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad surveyed 503 large corporations and government agencies in 2003 and found that 92 percent of the respondents reported attacks. Respondents identified both their Internet connection (78 percent) and their internal systems (36 percent) as frequent points of attack. 75 percent of the respondents acknowledged financial losses, and although only 47 percent could quantify their losses; those who could found it was over $200 million.

"There are many reasons why attacks are on the rise. Computers are increasingly networked, making it easier for attackers to attack anyone in the world with very little risk. Computers have become ubiquitous; they now control many more things of value (making them worth attacking). In the past, customers have been quite willing to buy insecure software, so there had been no financial incentive to create secure software.

"The electronic world is now a far more dangerous place. Today, nearly all applications need to be secure applications. Practically every Web application needs to be a secure application, for example, because untrusted users can send data to them. Even applications that display or edit local files (such as word processors) have to be secured, because sometimes users will display or edit data e-mailed to them.

"If you develop software, you're in a battleground and you need to learn how to defend yourself. Unfortunately, most software developers have never been told how to write secure applications..."

Complete Story

Related Stories: