Losing a Battle, Catching
Mistakes"> David Wagner As a security person, I think were losing this battle right now. Were falling behind and we need to step up our game. Were getting better at security, but hackers are getting better faster than we are. About 80 percent of home computer users are infected with spyware. A new Windows XP machine has a mean time to infection of about 15 minutes. Were falling behind.Developers need to recognize its [their] problem. Good application software makes a difference. In 2004, Internet Explorer had a publicly revealed vulnerability that had not been patched on 98 percent of the days [of that year]. Firefox was vulnerable on 7 percent of the days [of that year]. That tells you that what the application developers are doing can make a big difference. Bill Joy When I was at Berkeley in the 80s and late 70s, Eric Schmidtwhos now CEO of Googleand I were graduate students together, and Eric was a summer student at Xerox. He showed me Cedar, a type-safe derivative of Pascal, so 25 years ago we knew it was possible to write a programming language that caught dumb and obvious mistakes. In the 90s, when James Gosling showed me Oak [the predecessor of Java], I realized that here was an opportunity to build a language where programs have meaning. When you write a Java program, theres a spec; theres a formal semantics. If the program can runif its not a concurrent programit will always give the same answer. With the coming together of the need for security with the Net and of programming languages that are testable, you can come up with layers of abstraction. Javas just one layer. If you write your whole program without any higher-level description than just a Java program, eventually, it will be too hard to understand. You need patterns of software, other layers, other notations, other ways to test higher-level properties of the software. Thats the only way. These kinds of transitions take a really long time. Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.
I would be careful of the "Its not my problem" syndrome. Developers think that "Oh, Ive got firewalls, so Im safe" or that security is about good operating systems, so its operating systems folks problem or networking folks problem.