Why is Software So Insecure?
Internet Explorer is one of many examples of insecure software. Some call Internet Explorer the browser that made the Internet accessible to the masses. Others call it an accident waiting to happen (again and again). Let's think about where IE grew up. Started as a skunk works project alongside Windows 95, Internet Explorer was first released in 1995 as part of the Internet Jumpstart Kit found in Microsoft Plus! For Windows 95. While it was well integrated with the new operating system, few users adopted it, as much more mature and feature rich applications already existed. With the release of IE 2.0 in 1996 it was obvious that MS was not abandoning this software. Cross platform support was added for Macintosh users, and several emerging technologies such as cookies, VRML and RealAudio were now supported. Later that year IE 3.0 was released, and the browser wars truly began. Finally MS had released a product that was capable of competing with Netscape on even ground. Internet Explorer was no longer merely a Web browser, it was the launch point for most of the users Internet needs. Users could read your e-mail, check newsgroups, view videos, listen to music, and (believe it or not) browse the Web too.
Within nine days of its release the very first exploit for IE 3.0 was discovered and released to the public. The rest, as they say, is history.
So how could a company with the resources of Microsoft develop and release a product that is so obviously flawed? The Microsoft campus contains some of the most brilliant designers and programmers the world has to offer. Many of the development practices present at MS are used throughout the industry (which many would say contributes to the problem, but that is a different topic altogether). Why, then, can't even the imposing minds at Microsoft seem to be capable of writing software that can be trusted?
First of all, we should note that there is more than one way for software to be insecure. Methods for exploiting and circumventing security in programs are as varied as the applications they are attacking. Perhaps the fundamental problem is that software is not necessarily designed and constructed with security in mind. Until recently, security has been something of an afterthought in the computer industry, both amongst vendors and among customers/users. However, as the previous section pointed out, it is becoming more obvious that security is becoming a very costly concern. Apart from the obvious problem that security has not been a fundamental part of the development process, there are other fundamental problems with software that add to insecurity. The following section discusses some of these problems.