You can stumble onto an ActiveX vulnerability with a little help from Google and a 5 minute tutorial on fuzzing. When you ask and technology executive about potential security issues with virtualization you get a blank stare. And we're stuck on this patch-go-round that never ends.
All of these issues are side effects of one illness: The software industry and the customers that implement applications rarely think about security first. You see it with Web 2.0 apps, shoddy browsers and the huge patches (basically code rewrites) that plug holes in some of the more favorite Web software (IE, Skype, QuickTime etcetera). Does it strike anyone as odd that we were hit by patches for four major vulnerabilities in 24 hours this week?
Here are the priorities among software developers:
- Cook up applications quickly;
- Gain massive distribution;
- Get people to install it;
- Monetize it.
Among customers the priorities go something like this:
- Save money;
- Ease of use;
- Ease of installation;
- Enable the business somehow (and save more money).
In this state of affairs little things like security is bolted on once these applications are widely adopted. Does that make sense?
Why should we need an attack on (pick your hot software of the moment) to think about security and all of the processes that enable it? The only explanation is that developers and software companies are lazy and know there's no immediate return. It's a far easier business model to turn out crappy software and then sell us stuff to fix it. Bizarre.
Simply put, security would be a lot better if companies gave just a smidge of forethought to vulnerabilities. Sure there are a few bright spots--I thought MySpace's move to put its third party apps through some security testing before unleashing them to users was a great idea. But far too often I'm wondering why security isn't at least thought about a bit before we move on to the latest and greatest thing.