13.2 The Reasons Why Software Is Vulnerable

In a nutshell, software is vulnerable due to complexity and inevitable human error. Many vendors (e.g., Microsoft, Sun, Oracle, and others) that developed and built their software in the 90's didn't write code that was secure from heap overflows or format string bugs, because these issues were not widely known at the time.

Software vendors are now in a situation where, even though it would be the just thing to do, it is simply too expensive to secure their operating systems and server software packages from memory manipulation attacks. Code review and full black box testing of complex operating system and server software would take years to undertake, and severely impact future development and marketing plans, along with revenue.

In order for adequately secure programs to be developed, the interaction of that program with the environment in which it is run should be controlled at all levels?no data passed to the program should be trusted or assumed to be correct. Input validation is a term used within application development to ensure that data passed to a function is properly sanitized before it is stored in memory. Proper validation of all external data passed to key network services would go a long way toward improving the security and resilience of IP networks and computer systems.