developerWorks: Secure Programmer: Developing Secure Programs

“Computer attacks have become a very serious problem. In 1997,
the CERT/CC reported 2,134 computer security incidents and 311
distinct vulnerabilities; by 2002 it had risen to 82,094 incidents
and 4,129 vulnerabilities. The Computer Security Institute (CSI)
and the San Francisco Federal Bureau of Investigation’s (FBI)
Computer Intrusion Squad surveyed 503 large corporations and
government agencies in 2003 and found that 92 percent of the
respondents reported attacks. Respondents identified both their
Internet connection (78 percent) and their internal systems (36
percent) as frequent points of attack. 75 percent of the
respondents acknowledged financial losses, and although only 47
percent could quantify their losses; those who could found it was
over $200 million.

“There are many reasons why attacks are on the rise. Computers
are increasingly networked, making it easier for attackers to
attack anyone in the world with very little risk. Computers have
become ubiquitous; they now control many more things of value
(making them worth attacking). In the past, customers have been
quite willing to buy insecure software, so there had been no
financial incentive to create secure software.

“The electronic world is now a far more dangerous place. Today,
nearly all applications need to be secure applications. Practically
every Web application needs to be a secure application, for
example, because untrusted users can send data to them. Even
applications that display or edit local files (such as word
processors) have to be secured, because sometimes users will
display or edit data e-mailed to them.

“If you develop software, you’re in a battleground and you need
to learn how to defend yourself. Unfortunately, most software
developers have never been told how to write secure
applications…”

Complete Story